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Abstract. Step-indexed semantic interpretations of types were proposed as an alternative 
to purely syntactic proofs of type safety using subject reduction. The types are interpreted 
as sets of values indexed by the number of computation steps for which these values are 
guaranteed to behave like proper elements of the type. Building on work by Ahmed, Appel 
and others, we introduce a step-indexed semantics for the imperative object calculus of 
Abadi and Cardelli. Providing a semantic account of this calculus using more 'traditional', 
domain-theoretic approaches has proved challenging due to the combination of dynamically 
allocated objects, higher-order store, and an expressive type system. Here we show that, 
using step-indexing, one can interpret a rich type discipline with object types, subtyping, 
recursive and bounded quantified types in the presence of state. 



The imperative object calculus of Abadi and Cardelli is a very small, yet very expressive 
object-oriented language [2j. Despite the extreme simplicity of its syntax, the calculus 
models many important concepts of object-oriented programming, as well as the often subtle 
interaction between them. In particular it raises interesting and non-trivial questions with 
respect to typing. 

In contrast to the more common class-based object-oriented languages, in the impera- 
tive object calculus every object comes equipped with its own set of methods that can be 
updated at run-time. As a consequence, the methods need to reside in the store, i.e., the 
store is higher-order. Moreover, objects are allocated dynamically and aliasing is possible. 
Dynamically- allocated, higher-order store is present in different forms in many practical 
programming languages {e.g., pointers to functions in C and general references in SML), 
but it considerably complicates the construction of adequate semantic models in which one 
can reason about the behaviour of programs (as pointed out for instance by Reus [40J). 

Purely syntactic arguments such as subject reduction suffice for proving the soundness 
of traditional type systems. However, once such type systems are turned into powerful 
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specification languages, like the logic of objects of Abadi and Leino [4] or the hybrid type 
system of Flanagan et al. [23], purely syntactic arguments seem no longer appropriate. The 
meaning of assertions is no longer obvious, since they have to describe the code on the heap. 
We believe that specifications of program behaviour should have a meaning independent of 
the particular proof system on which syntactic preservation proofs rely, as also argued by 
Benton |13j and by Reus and Schwinghammer |41j . 

In the case of specifications one would ideally prove soundness with respect to a seman- 
tic model that makes a clear distinction between semantic validity and derivability using 
the syntactic rules. However, building such semantic models is challenging, and there is 
currently no fully satisfactory semantic account of the imperative object calculus: 
Denotational semantics: Domain-theoretic models have been employed in proving the 
soundness of the logic of Abadi and Leino ^41^ A2\ . However, the existing techniques fall 
short of providing convincing models of typed objects: Reus and Streicher [42] consider an 
untyped semantics, and the model presented by Reus and Schwinghammer [41] handles 
neither second-order types, nor subtyping in depth. Due to the dynamically-allocated 
higher-order store present in the imperative object calculus, the models rely on techniques 
for recursively defined domains in functor categories |3H I36]. This makes them complex, 
and establishing properties even for specific programs often requires a substantial effort. 
Equational reasoning: Gordon et al. [25j develop reasoning principles for establishing 
the contextual equivalence of untyped objects, and apply them to prove correctness of 
a compiler optimization. Jeffrey and Rathke [29] consider a concurrent variant of the 
calculus and characterize may-testing equivalence in terms of the trace sets generated 
by a labeled transition system. In both cases the semantics is limited to equational 
reasoning, i.e., establishing contextual equivalences between programs. In theory, this 
can be used to verify a program by showing it equivalent to one that is trivially correct 
and acts as a specification. However, this can be more cumbersome in practice than using 
program logics, the established formalism for specifying and proving the correctness of 
programs. 

Translations: Abadi et al. [3] give an adequate encoding of the imperative object calcu- 
lus into a lambda calculus with records, references, recursive and existential types and 
subtyping. Together with an interpretation of this target language, an adequate model 
for the imperative object calculus could, in principle, be obtained. However, we are 
not aware of any worked-out adequate domain-theoretic models for general references 
and impredicative second-order types. Even if such a model was given, it would still be 
preferable to have a self-contained semantics for the object calculus, without the added 
complexity of the (non-trivial) translation. 
A solution to the problem of finding adequate models of objects could be the step-indexed 
semantic models of types, introduced by Appel and McAllester [10] as an alternative to 
subject reduction proofs. Such models are based directly on the operational semantics, and 
are more easy to construct than the existing domain-theoretic models. The types are simply 
interpreted as sets of syntactic values indexed by a number of computation steps. Intuitively, 
a term belongs to a certain type if it behaves like an element of that type for any number of 
steps. Every type is built as a sequence of increasingly accurate semantic approximations, 
which allows one to easily deal with recursion. Type safety is an immediate consequence 
of this interpretation of types, and the semantic counterparts of the usual typing rules 
are proved as independent lemmas, either directly or by induction on the index. Ahmed 
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et al. [6l [9] successfully applied this generic technique to a lambda calculus with general 
references, impredicative polymorphism and recursive types. 

In this paper we further extend the semantics of Ahmed et al. with object types and 
subtyping, and we use the resulting interpretation to prove the soundness of an expressive 
type system for the imperative object calculus. The main contribution of our work is the 
novel semantics of object types. We extend this semantics in two orthogonal ways. First, 
we adapt it to self types, i.e., recursive object types that validate the usual subtyping rules 
as well as strong typing rules with structural assumptions. Second, we study a natural 
generalization of object types that results in simpler and more expressive typing rules. 

Even though in this paper we are concerned with the safety of a type system, the 
step-indexing technique is not restricted to types, and has already been used for equational 
reasoning [5l [71 [Tn| and for proving the soundness of Hoare-style program logics of low-level 
languages [131 [H]. We expect therefore that it will eventually become possible to use a step- 
indexed model to prove the soundness of more expressive program logics for the imperative 
object calculus. 

Outline. The next section introduces the syntax, operational semantics, and type system 
that we consider for the imperative object calculus. In Section [3] we present a step-indexed 
semantics for this calculus. In particular, we define the interpretations of types and estab- 
lish their semantic properties. In Section |4] these properties are used to prove the soundness 
of the type system. Section [5] studies self types, while Section [6] discusses a natural gen- 
eralization of object types. Section [7] gives a comparison to related work and Section [8] 
concludes. The Appendix presents the proofs of the most interesting typing and subtyping 
lemmas for object types, while an earlier technical report contains additional proofs |28j . 

2. The Imperative Object Calculus 

We recall the syntax of the imperative object calculus with recursive and second-order types, 
and introduce a small-step operational semantics for this calculus that is equivalent to the 
big-step semantics given by Abadi and Cardelli [2j. 

2.1. Syntax. Let Var, TVar and Meth be pairwise disjoint, countably infinite sets of vari- 
ables, type variables and method names, respectively. Let x, y range over Var, X, Y range 
over TVar, and let m range over Meth. Figure [T] defines the syntax of the types and terms 
of the imperative object calculus. 

Objects are unordered collections of named methods, written as [m^=?(xd:^)6(i]^g£,. 
In a method m = <;{x:A)b, <^ is a binder that binds the 'self argument x in the method 
body b. The self argument can be used inside the method body for invoking the methods of 
the containing object. Methods with arguments other than self can be obtained by having 
a procedure as the method body. The methods of an object can be invoked or updated, 
but no new methods can be added, and the existing methods cannot be deleted. The type 
of objects with methods named m,;; that return results of type A^, for d in some set D, is 
written as [m^^ -.^^ A^l^^j^, where u £ {o, +> — } is a variance annotation that indicates if 
the method is considered invoke-only (+), update-only {—), or if it may be used without 
restriction (o). 

While procedural abstractions are sometimes defined in the imperative object calculus 
using an additional let construct, we include them as primitives. We write procedures 
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X \ Top \ Bot\ A^B 


(type expressions) 






y{X^A)B 1 3{Xf^A)B 




1 + 1 - 


(variance annotations) 


X 


(variable) 


[md=q{xd:A)bd]a^ij 


(object creation) 


a.m 


(method invocation) 


a.m := <;{x:A)b 


(method update) 


clone a 


(shallow copy) 


X{x:A)b 


(procedure) 


a b 


(application) 


MdA b 


(recursive folding) 


unfold^ b 


(recursive unfolding) 


A{X!^A)b 


(type abstraction) 


a[A] 


(type application) 


pack Xi^A = C 'ma:B 


(existential package) 


open a as X^A, x:B in b :C 


(package opening) 



Figure 1: Syntax of types and terms 



with type ^4 ^ i? as \{x:A)b and applications as a b, respectively. We use fold^i and 
unfoldyi to denote the isomorphism between a recursive type ^{X)B and its unfolding 
\X I— > fi{X)Bj{B). Finally, we consider bounded universal and existential types y{X^A)B 
and 3{X^A)B along with their introduction and elimination forms [21]. 

The set of free variables of a term a is denoted by fv{a), and similarly the free type 
variables in a type A by fv{A). We identify types and terms up to the consistent renaming of 
bound variables. We use {t i— > r} to denote the singleton map that maps t to r. For a finite 
map a from variables to terms, o"(a) denotes the result of capture-avoiding substitution of 
all X G fv{a) fl dom{a) by a{x). The same notation is used for the substitution of type 
variables. Generally, for any function /, the notation /[t := r] denotes the function that 
maps t to r, and otherwise agrees with /. 



2.2. Operational Semantics. Let Loc be a countably infinite set of heap locations ranged 
over by /. We extend the set of terms by run-time representations of objects {m^=/^}^g^, 
associating heap locations to a set of method names. Values are given by the grammar: 

V G Val ::= {md=ld}deD I A(x:A)6 | fold^ v \ K{X^A)b | pack X^A = C in v.B 

Apart from run-time objects, values consist of procedures, values of recursive type, type 
abstractions and existential packages as in the call-by-value lambda calculus. We often only 
consider terms and values without free variables, and denote the set of these closed terms 
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[•] I £.m I £.m := <^{x:A)b \ clone £^ \ £b \ v£ \ ioldA£ \ unfoldA^ 
£[A] I packXi^A = C m£:B \ open £ as Xi^A,x:B in b:C 

Figure 2: Evaluation contexts 



(Red-Obj) 

(Red-Inv) 

(Red-Upd) 

(Red-Clone) 

(Red-Beta) 
(Red-Unfold) 
(Red-TBeta) 
(Red-Open) 



{h,[md=c;{xd:A)bd]a^ij) 



{h,{md=ld}deD -me) 



> {h [Id := A(xd:A)6d]deD , {01^=/^}^^^) 
where Vd (z D. 1^ ^ dom{h) 

> {h, h{le) {vnd=ld}deD)^ 



{h,{m.d=ld} 



deD 



.nip 



c^{x:A)b) ^ {h [k ■■= X{x:A)b] {md=ld} 



if e(^D 



(/i, clone {m.d=ld}d(iD) 

{h,{X{x:A)b) v) 
{h, unfoldyi (foldfi v)) 
{h,{A{X^A)b)[B]) 
{h, open V as X^j4, x:B in b :C) 



> {h [I'a := h{ld)]^^^ , {md=l'd}^^o) 
where Vd ^ D.l'^^ dom{h) 

>{h,{x^vm) 

> {h,v) 

>{h,ix^Bm) 

> {h,{x ^v',X ^ C'}{b)) 

where v = pack X%A' = C in v' -.B' 



Figure 3: One-step reduction relation 

and closed values by CTerm and CVal, respectively. A program is a closed term that does 
not contain any locations, and we denote the set of all programs by Prog. A heap h is a 
finite map from Loc to CVa0, and we write Heap for the set of all heaps. 

Figure [2] defines the set of evaluation contexts, formalizing a left-to-right, call- by- value 
strategy. We write £[a] for the term obtained by plugging a into the hole [•] of £. The 
one-step reduction relation — > is defined as the least relation on configurations {h,a) G 
Heap X CTerm generated by the rules in Figure [3] and closed under the following context 
rule: 

{h,a) ^ {h',a') =^ {h,£[a]) ^ {h',£[a']) (Red-Ctx) 

The methods are actually stored in the heap as procedures. Object construction al- 
locates new heap storage for these procedures and returns a record of references to them 
(Red-Obj). Upon method invocation the corresponding stored procedure is retrieved from 
the heap and applied to the enclosing object (Red-Inv). The self parameter is thus passed 
just like any other procedure argument. Identifying methods and procedures makes the 
'self-application' semantics of method invocation explicit, while technically it allows us to 
use the step-indexed model of Ahmed et al. O |9] with only few modifications. 

While variables are immutable identifiers, methods can be updated destructively. Such 
updates only modify the heap and leave the run-time object unchanged (Red-Upd). Object 



-'^In fact, for the purpose of modelling the imperative object calculus it would suffice to regard procedures 
as the only kind of storable value. 
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Subtyping 



Th A T^A^A'T^A'i^B 

(SUBTRANS) ^ 



ThA ThA ri,X^yl,r2ho 
(SubTop) — — (SubBot) — (SubVar) 



ThAi^Top 'ThBot^A " ' Ti, X^A,r2 h X A 

rh^'^^ B ^ B' 

(SubProc) 



ThA^BsCA'^B' 



E CD VeeE. {ue G {+, o} ^ r h ^ ^e) 
(SubObj) - 



(SubObjVar) 
(SubRec) 



\/d £ D. I'd = o V i'd = v'd 



r h [nirf Ad] 

Th^i{X)A Thti(Y)B T,Y^Top,X^Y h A^ B 
r h ti{X)A ^ niY)B 

rh^'^A T,Xs^A'hB^B' 



(SubUniv) 
(SubExist) 



r h y{x^A)B < y{Xi^A')B' 

rh^^^' T,X^AhBi^B' 
r h 3{Xi^A)B ^ 3(X^A')5' 

Figure 4: Subtyping 



cloning generates a shallow copy of an object in the heap (Red-Clone). The last four rules 
in Figure [3] are as in the lambda calculus. 

For G N, denotes the k-step reduction relation. We write {h,a)^ if the configura- 
tion {h, a) is irreducible {i.e., there exists no configuration {h' , a') such that {h, a) — > {h' , a')). 

Note that reduction is not deterministic, due to the arbitrarily chosen fresh locations 
in (Red-Obj) and (Red-Clone). However, we still have that there is always at most one, 
uniquely determined redex. This has the important consequence that the reduction order 
is fixed. For example, if there is a reduction sequence beginning with a method invocation 
and ending in an irreducible configuration: {hi, a.m.) — >^ {h2,b)^, then this sequence can 
be split into 

{hi,a.m) {h[,a'.m) {h2,b) 

where {hi, a) -^^ {h[,a')^ for some i > 0. Similar decompositions into subsequences hold 
for reductions starting from the other term forms. 

It is easy to see that the operational semantics is independent of the type annotations 
inside terms. Also the semantic types that we define in Section [3] will not depend on the 
syntactic type expressions in the terms. In order to reduce the notational overhead and to 
prevent confusion between the syntax and semantics of types we will omit type annotations 
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Subsumption and axioms T \- a : A 



rha:A ThAi^B T^,x:AS9^o 
(Sub) ■ (Var) 



Tha: B ri,x:^,r2 h x : A 
Procedure types 

T,x:Ahb: B T h a : B A T h b : B 

(Lam) ^ (App) 

Object types (where A = [uid -.y^ ^dl^gD) 

VdGL>. r, Xd-.A h 6rf : Ad a: A 

(Obj) — — (Clone) 



r h [md=?(xd:vl)6d]rfg£, : A T h clone a : A 

r h a : A e G D i^e G {+,0} 



(INV) 



r h a. nip : A, 



e 



VVa:A eeD T,x:A\- b : Ae i^eG{-,o} 
r h a.me := <;{x:A)b : A 

Recursive types 

r h a : n{X)A 



(Unfold) 



r h unfold^(x)A a : {X ^ KX)A}{A) 
r h a : {X ^ /i(X)A}(A) 



(Fold) 

r h fold^(x)A a : ^(-'^)^ 

Bounded quantified types 

r, X^A hb: B r h a : y{X^A)B F h A' A 

^^^^^^ r h A(X^A)6 : V(X^A)5 (TApp) p h a[A'] : {X ^ yl'}(5) 

rhC^A rh{A:^ c}{a) {x ^ c}{b) 



(Pack) 
(Open) 



r h (pack X^A = C ina-.B): 3{Xi^A)B 

r h a : 3(X^A)S r h C r, X^A, x:Bhb:C 
r h (open a as X^j4, x.B in 6 :C) : C 

Figure 5: Typing of terms 



when presenting the step-indexed semantics. For example, instead of the type application 
a[A] we will merely write a[]. 

2.3. Type System. The type system we consider features procedure, object, iso-recursive 
and (impredicative, bounded) quantified types, as well as subtyping, and corresponds to 
FOb<:^ from [2]. It is fairly standard and consists of four inductively defined typing 
judgments: 

• r h o, describing well-formed typing contexts, 

• T \- A, defining well-formed types, 



8 



C. HRITCU AND J. SCHWINGHAMMER 



• r h ^ ^ i?, for subtyping between well-formed types, and 

• T \- a : A, for typing terms. 

The typing context T is a list containing type bindings for the (term) variables x:A and 
upper bounds for the type variables X^A. A typing context is well-formed if it does not 
contain duplicate bindings for (term or type) variables and all types appearing in it are 
well-formed. A type is well-formed with respect to a well-formed context F if all its type 
variables appear in T. 

Figure H] defines the subtyping relation. For the object types it allows subtyping in 
width: an object type with more methods is a subtype of an object type with fewer meth- 
ods, as long as the types of the common methods agree. For the invoke-only (+) and 
update-only methods (— ) in object types, covariant respectively contravariant subtyping in 
depth is allowed (SubObj). Furthermore, the unrestricted methods (o) can be regarded, by 
subtyping, as either invoke-only or update-only (SubObjVar). Since the annotations can 
be conveniently chosen at creation time (Obj) this brings much flexibility. As explained by 
Abadi and Cardelli p], this allows us to distinguish in the type system between the invo- 
cations and updates done through the self argument, and the ones done from the outside. 
The main idea is to type an object creation with an object type where all methods are 
considered invariant, so that all invocations and updates through the self argument (inter- 
nal) are allowed, but have to be type preserving. Then rules (Sub) and (SubObjVar) are 
applied and some of the methods can become invoke-only, some others update-only. This 
enables the subsequent weakening of the types of these methods using (SubObj). In effect, 
this allows for safe and flexible subtyping of methods, at the price of restricting update 
and invocation of the methods from the outside. Nevertheless, the internal updates and 
invocations remain unrestricted. 

Figure [5] defines the typing relation. The applicability of the rules for method invocation 
(Inv), and for method update (Upd), depends on the variance annotation. Also notice that 
only type-preserving updates are allowed in (Upd). Finally, it is important to note that we 
do not give types to heap locations, since the type system is only used to check programs, and 
programs do not contain locations. In contrast, a proof of type safety using the preservation 
and progress properties would require the syntactic judgement to also depend on a heap 
typing since partially evaluated terms would also need to be typed. 



3. A Step-indexed Semantics of Objects 

Modelling higher-order store is necessarily more involved than the treatment of first- 
order storage since the semantic domains become mutually recursive. Recall that heaps 
store values that may be procedures. These in turn can be modeled as functions that take 
a value and the initial heap as input, and return a value and the possibly modified heap 
upon termination. This suggests the following semantic domains for values and heaps, re- 
spectively: 

Dval = {D Heaps X Dyal^ D Heaps X Dyal) + . . . 
D Heaps = LOC —^fin Dyal 

A simple cardinality argument shows that there are no set-theoretic solutions (i.e., where 
D ^ E denotes the set of all partial functions from D to E) satisfying the equations in ()3.ip . 
A possible solution is to use a domain-theoretic approach, as done for the imperative object 
calculus by Reus and Streicher ^42j , building on earlier work by Kamin and Reddy ^30j . 
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In a model of a typed calculus one also wants to interpret the types. But naively taking 
a collection Type of subsets t C Dy^i as interpretations of syntactic types does not work, 
since values generally depend on the heap and a typed model should guarantee that all heap 
access operations are type-correct. We are led to the following approach: first, in order to 
ensure that updates are type-preserving, we also consider heap typings. Heap typings are 
partial maps ^I' G HeapTyping = Loc ^fin Type that track the set of values that may be 
stored in each heap location. Second, the collection of types is refined to take heap typings 
into account: a type will now consist of values paired with heap typings that describe the 
necessary requirements on heaps. These ideas suggest that we take 



Again, a cardinality argument shows the impossibility of defining these sets. 

A final obstacle to modelling the object calculus, albeit independent of the higher-order 
nature of heaps, is due to dynamic allocation in the heap. This results in heap typings that 
may vary in the course of a computation, reflecting the changing 'shape' of the heap. 
However, as is the case for many high-level languages, the object calculus is well-behaved 
in this respect: 

• inside the language, there is no possibility of deallocating heap locations; and 

• only weak (i.e., type-preserving) updates are allowed. 

As a consequence, extensions are the only changes that need to be considered for heap 
typings. Intuitively, values that rely on heaps with typing ^ will also be type-correct for 
extended heaps, with an extended heap typing ^' □ ^. For this reason, semantic models 
of dynamic allocation typically lend themselves to a Kripke-style presentation, where all 
semantic entities are indexed by possible worlds drawn from the set of heap typings, partially 
(pre-) ordered by heap typing extension [SU [331 Ell EH [39] . 

Rather than trying to extend the already complex domain-theoretic models to heap 
typings and dynamic allocation, we will use the step-indexing technique. Since this tech- 
nique is based directly on the operational semantics, it provides an alternative that has less 
mathematical overhead. In particular, there is no need to find semantic domains satisfying 
(13. Ih : we can simply have Dyai be the set of closed values and use syntactic procedures in 
place of set-theoretic functions. Moreover, it is relatively easy to also model impredicative 
second-order types in the step- indexed model of Ahmed et al. [SI l9j , which is crucial for the 
interpretation of object types we develop below. Although recently there has been progress 
in finding domain-theoretic models of languages that combine references and polymorphic 
types |15 [ I16 [ [TT]. the constructions are more involved. 

The circularity in (13. 2p is resolved by considering a stratification based on a notion of 
'fc-step execution safety'. The central idea is that a term has type r with approximation k 
if this assumption cannot be proved wrong (in the sense of reaching a stuck state) in any 
context by executing fewer than k steps. The key insight for constructing the sets satisfying 
(j3.2p is that all operations on the heap consume one step. Thus, in order to determine 
whether a pair where is a heap typing and v a value, belongs to a type r with 

approximation k it is sufficient to know the types of the stored values on which v relies (as 
recorded by ^) only up to level k — 1. The true meaning of types and heap typings is then 
obtained by taking the limit over all such approximations. 

For instance, if a heap typing ^ asserts that a i?oo/-returning procedure is stored at 
location I, i.e., ^(l) = [m:Bool] Bool, then it is certainly not safe to assume that the 



Type = V{HeapTyping x Dyai) 
HeapTyping = Loc --fin Type 
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pair A(y){m=/}.m) belongs to the type of /ni-returning procedures. However, it is not 
possible to contradict this assumption by taking only two reduction steps: the first step is 
consumed by the beta reduction, the second one by the method selection {m=/}.m in the 
procedure body, which involves a heap access. In this case, there are no steps left to observe 
that the result of the computation is a boolean rather than an integer. Consequently, the 
value A(y){m=Z}.m is in the type of 7ni-returning procedures for two computation steps, 
even though it does not actually return an integer. One can of course distinguish such 'false 
positives' by taking more reduction steps. 

The preceding considerations are now formalized, building on the model originally de- 
veloped by Ahmed et al. for an ML-like language with general references and impredicative 
second-order types [6l[9]. Apart from some notational differences, the definitions in Sec- 
tion 13.11 are the same as in [6] . Section 13.21 adds subtyping, while Section 13.31 deals with 
procedure types, and Section [33] revisits reference types. The semantics of object types is 
presented in Section 13.51 and constitutes the main contribution of this paper. We further 
deviate from [6] by adding bounds to the second-order types in Section 13.61 and by using 
iso-recursive instead of equi-recursive types in Section 13.71 

3.1. The Semantic Model. To make the (circular) definition of types and heap typings 
from ()3.2I) work, the step-indexed semantics considers triples with an additional natural 
number component, representing the step index, rather than just pairs. First, we induc- 
tively define two families {PreTypei.)k<^N of pre-types, and (HeapPreTypingj.) k<^N of heap 
pre-typings, by 

T E PreTypeQ t = fj) 

T G PreTypej^^i <^ r G P(N x (Uj<fc HeapPreTypingj) x CVal) 

A V(j, ,v) ^ T. j < k A ^ G HeapPreTypingj 

where HeapPreTypingj. = Loc ^fin PreType/.. That is, each r G PreType/. is a set of 
triples (j, where the set HeapPreTypingj from which the heap pre- typing ^ is drawn 
depends on the index j < k. Clearly PreTypej. C PreTypej^^i and thus HeapPreTypingj. C 
HeapPreTypingj._^i for all k. Now it is possible to set 

T G PreType 44> r G P(N x {\Jj HeapPreTypingj) x CVal) 

A y{j,'$,v) G r. G HeapPreTypingj 

We call the elements of this set pre-types, rather than types, since there will be a further 
condition that proper types must satisfy (this is done in Definition 13.41 below). From now 
on, when writing {k,^,v), we always implicitly assume that ^' G HeapPreTypingj.. By 
HeapPreTyping we denote the set Loc -^fin PreType of finite maps into pre- types. 

Each pre- type r is a union of sets G PreTypej. where the index appearing in ele- 
ments of Tk is bounded by k. This is made explicit by the following notion of semantic 
approximation and the stratification invariant below. 

Definition 3.1 (Semantic approximation). For any pre-type r we call [rj^ the k-th ap- 
proximation of T and define it as the subset containing all elements of r that have an index 
strictly less than k: [t\j. = {(j, G r | j < k}. This definition is lifted pointwise to the 
(partial) functions in HeapPreTyping: ["^Ij. = A/ G dom{'$). [^(OJfc- 

Proposition 3.2 (Stratification). For all r G PreType and A; G N, [rj^ G PreTypej.. 
Moreover, r = IJ^, [rj^. □ 
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So in particular, if {k,^,v) € r and / G dom['^) then ^{l) € PreTypej for some j < k. 
This is captured by the following 'stratification invariant', which will be satisfied by all 
the constructions on (pre-) types, and which ensures the well-foundedness of the whole 
construction: 

Stratification invariant. For all pre-types r, [tJ^^^ cannot depend on any 

pre- type beyond approximation k. 
As indicated above, in order to take dynamic allocation into account we consider a possible 
worlds model. Intuitively we think of a pair (k, ^) as describing the state of a heap h, 
where ^ lists locations in h that are guaranteed to be allocated, and contains the types of 
the stored values up to approximation k. In the course of a computation, there are three 
different situations where the heap state changes: 

• New objects are allocated on the heap, which is reflected by a heap pre- typing ^' with 
additional locations compared to \I'. This operation does not affect any of the previously 
stored objects, so ^' will be an extension of ^. 

• The program executes for k — j steps, for some j < k, without accessing the heap. 
This is reflected by a heap state (j, L^Jj) that 'forgets' that we have a more precise 
approximation, and guarantees that the heap is safe only for j execution steps. 

• The heap is updated, but in such a way that all typing guarantees of ^ are preserved. 
Thus updates will be reflected by an information forgetting extension, as in the previous 
case. However, because of the step taken by the update itself, in this case we necessarily 
have that j < k. 

The following definition of state extension captures these possible evolutions of a state. 

Definition 3.3 (State extension). State extension Q is the relation on N x HeapPreTyping 
defined by 

{k, ^) □ (j, v^') ^ j <k A dom{^) C dom{^') 

A V/ E dom{^). [^'\. (/) = [^-J^. (0 

The step-indexing technique relies on the approximation of the 'true' set of values that 
constitute a type, by all those values that behave accordingly unless a certain number of 
computation steps are taken. Limiting the number of available steps, we will only be able to 
make fewer distinctions. Moreover, if for instance a procedure relies on locations in the heap 
as described by a state {k,^), we can safely apply the procedure after further allocations. 
In fact, if we are only interested in safely executing the procedure for j < k steps, a heap 
described by state {j, L^Jj) will suffice. These conditions are captured precisely by state 
extension, so we require our semantic types to be closed under state extension: 

Definition 3.4 (Semantic types and heap typings). The set Type of semantic types is the 
subset of PreType defined by 

T G Type ^ yk,j > 0. V^-, G CVal 

{k,^)Q{j,^') A {k,^,v)eT {j,^',v)eT 

We also define the set HeapTyping = Loc ^fin Type of heap typings, ranged over by ^' in 
the following, as the subset of heap pre-typings that map to semantic types. 

As explained by Ahmed [6], this structure may be viewed as an instance of Kripke 
models of intuitionistic logic where states are the possible worlds, state extension is the 
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reachability relation between worlds, and where closure under state extension corresponds 
to Kripke monotonicity. 

Next we define when a particular heap h conforms to the requirements expressed by a 
heap typing This is done with respect to an approximation index. 

Definition 3.5 (Well-typed heap). A heap h is well-typed with respect to ^' with approx- 
imation k, written as h -.k ^) if dom{^) C dom{h) and 

Vj <k.yie doTO(^). (j, [^J^. , h{l)) G ^(0 

Semantic types only contain values, but we also need to associate types with terms that 
are not values. We do this in two steps, first for closed terms, then for arbitrary ones. A 
closed term has a certain type to approximation k with respect to some heap typing ^, if 
in all heaps that are well-typed with respect to 5' the term behaves like an element of the 
type for k computation steps. In general, before reducing to a value the term will execute 
for j steps, and possibly allocate some new heap locations in doing so. The state describing 
the final heap will therefore be an extension of the state describing the initial heap, and it 
only needs to be safe for the remaining k — j steps. Similarly, the final value needs to be in 
the original type only for another k — j steps. The next definition makes this precise. 

Definition 3.6 (Closed term has semantic type). We say that a closed term a has type r 
with respect to the state {k, denoted as a -.k^ij, r, if and only if 

yj < k,h,h',b. (/t :fe * A {h,a) -^^ {h',b) A {h',b)^) 

3*'. [k, *) C (A; - j, *') A h' -.k-j A {k- j, 6) e r 

Even though the terms we evaluate are closed, when type-checking their subterms we 
also have to reason about open terms. Typing open terms is done with respect to a semantic 
type environment S that maps variables to semantic types. We reduce typing open terms to 
typing their closed instances obtained by substituting all free variables with appropriately 
typed, closed values. This is done by a value environment a (a finite map from variables to 
closed values) that agrees with the type environment. 

Definition 3.7 (Value environment agrees with type environment). We say that value 
environment a agrees with semantic type environment S, with respect to the state (A;,^), if 
Vx G dom{'E). a{x) •.k,-q/ ^{x). We denote this by a S. 

Definition 3.8 (Semantic typing judgement). We say that a term a (possibly with free 

variables, but not containing locations), has type r with respect to a semantic type environ- 
ment S, written as S |= a : r, if after substituting wcll-typcd values for the free variables 
of a, we obtain a closed term that has type r for any number of computation steps. More 
precisely: 

S ^ a : r fv{a) C dom(S) A VA; > 0. V*. Va S. a{a) i^,* r 

By construction, the semantic typing judgment enforces that all terms that are typable 
with respect to it do not produce type errors when evaluated. 

Definition 3.9 (Safe for k steps). Wc call a configuration {h,a) safe for k steps, if the 
term a does not get stuck in less than k steps when evaluated in the heap h, i.e., we define 
the set of all such configurations by 

Safck = {{h, a) \ Vj < k. \/h' , b. {h, a) -^^ {h', b) A {h', b)^ ^ be Val} 
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Definition 3.10 (Safety). We call a configuration safe if it does not get stuck in any number 
of steps, and let Safe = HfeeN Safej^. 

Theorem 3.11 (Safety). For all programs a such that $ \= a : t and for all heaps h we 
have that {h, a) € Safe. 

Proof. One first easily shows that, if a ■.k,^^ t and h -.k then {h,a) G Safe^.. The theorem 
then follows by observing that any h is well-typed with respect to the empty heap typing, 
to any approximation k. □ 

This is much more direct than a subject reduction proof [46j. However, unlike with 
subject reduction, the validity of the typing rules still needs to be proved with respect to 
the semantics. We do this in two steps. In the remainder of this section we introduce 
the specific semantic interpretations of types, and prove that they satisfy certain semantic 
typing lemmas. These proofs are similar in spirit to proving the 'fundamental theorem' of 
Kripke logical relations [32]. Then, in Section U] we prove the soundness of the rules of the 
initial type system with respect to these typing lemmas. 

Even though the semantic typing lemmas are constructed so that they directly corre- 
spond to the rules of the original type system, there is a big difference between the two. 
While the semantic typing lemmas allow us to logically derive valid semantic judgments 
using other valid judgments as premises, the typing rules are just syntax that is used in the 
inductive definitions of the typing and subtyping relations. 

3.2. Subtyping. Since types in the step-indexed interpretation are sets (satisfying some 
additional constraints), the natural subtyping relation is set inclusion. This subtyping 
relation forms a complete lattice on semantic types, where infima and suprema are given 
by set-theoretic intersections and unions, respectively. The least element is _L = 0, while 
the greatest is 

T = {(j, ^, t>) I j G N, G HeapTypingj,v G CVal}. 

Obviously _L and T satisfy both the stratification invariant (i.e., they are pre-types) and 
the closure under state extension condition, so they are indeed semantic types. 
We can easily show the standard subsumption property 

Lemma 3.12 (Subsumption). IfTi\=a:a and a C /3 then S |= a : /?. □ 

While it is very easy to define subtyping in this way, the interaction between subtyping 
and the other features of the type system, in particular the object types, is far from trivial. 
This point will be discussed further in Section 13. 5[ 

3.3. Procedure Types. Intuitively, a procedure has type a ^ P for k computation steps 
if, when applied to any well-typed argument of type a, it produces a result that has type f3 for 
another k — 1 steps. This is because the procedure application itself takes one computation 
step, and the only way to use a procedure is by applying it to some argument. 

Additionally, we have to take into account that the procedure can also be applied after 
some computation steps that extend the heap. So, for every j < k and for every heap 
typing \I'' such that (A;,^') C (j, ^''), when applying the procedure to a value in type a 
for j steps with respect to the result must have type P for j steps with respect to 
This computational intuition nicely fits the possible worlds reading of procedure types as 
intuitionistic implication. 
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S[x := a\\=b: P => T. \= Xx.b : a ^ (3 (SemLam) 
{^\=a: p^a A \= b : p =^ ^ ^ a b : a (SemApp) 
a' Qa A P Q p' =^ a ^ P C a' ^ P' (SemSubProc) 

Figure 6: Typing lemmas: procedure types 

Definition 3.13 (Procedure types). If a and P are semantic types, then a ^ P consists of 
those triples {k, Ax. b) such that for all j < k, heap typings and closed values v: 

{{k,^)mj,^') A {j,^',v)ea) ^ {x ^ vm p 

Proposition 3.14. If a and P are semantic types, then a ^ P is also a semantic type. □ 

Figure [6] contains the semantic typing lemmas associated with procedure types. The 
procedure type constructor is of course contravariant in the argument type and covariant 
in the result type. 

Lemma 3.15 (Procedure types). The three semantic typing lemmas shown in Figure\^are 
valid implications. 

Proof sketch. The validity of (SemApp) and (SemLam) is proved in |6j. Verifying (Sem- 
SubProc) is simply a matter of unfolding the definitions. □ 

3.4. Revisiting Reference Types. While our calculus does not have references syntac- 
tically, we will use the model of references from [6l [9] in our construction underlying object 
types. In order to interpret the variance annotations in object types, we additionally intro- 
duce readable reference types and writable reference types, with covariant and contravariant 
subtyping, respectively [35} H3]. 

A heap typing associates with each allocated location the precise type that can be used 
when reading from it and writing to it. So all heap locations support both reading and 
writing at a certain type, and we do not have read-only or write-only locations. Intuitively, 
for the readable reference types and the writable ones the precise type of the locations is 
only partially known, so that without additional information only one of the two operations 
is safe at a meaningful type. 

We first recall the definition of reference types from [6l[9]. 

Definition 3.16 (Reference types). If r is a semantic type then 

refor = {(A;,^,/) | L*(OJfe = W,} 

According to this definition, a location / has type refoT if the type associated with / 
by the heap typing ^ is approximately r. Semantic approximation is used to satisfy the 
stratification invariant, and is operationally justified by the fact that reading from a location 
or writing to it takes one computation step. So, / has type refoT for k steps if all values 
that are read from / or written to / have type r for k — 1 steps. 

The readable reference type ref+r is similar to refoT, but poses less constraints on 
the heap typing it only requires that ^'(/) is a subtype of r, as before up to some 
approximation . 
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a C /3 =^ ref+a C ref+Z? 
/3 C a =^ ref_a C ref_/3 
refoO ^ refj^a, where € {o, +, — } 



(SemSubCovRef) 
(SemSubConRef) 
(SemSubVarRef) 



Figure 7: Subtyping reference types 




The value stored at location I also has type r by subsumption, and therefore can be 
read and safely used as a value of type r. However, the true type of location / is in general 
unknown, so writing any value to it could be unsafe (the true type of I might be the empty 
type _L). Nevertheless, knowing that a location has type ref+r does not mean that we 
cannot write to it: it simply means that we do not know the type of the values that can be 
written to it, so in the absence of further information no writing can be guaranteed to be 
type saf^. 

Dually, the type ref_T of writable references contains all those locations / whose type 
associated by ^' is a supertype of r. 

Definition 3.18 (Writable reference types). If r is a semantic type then 



We can safely write a value of type r to a location of type ref_r, since this value also 
has the real type of location / by subsumption. However, the real type of such locations 
can be arbitrarily general. In particular it can be T, the type of all values. Thus a location 
about which we only know that it has type ref_r can only be read safely at type T. 

With these definitions in place, the usual reference type from Definition 13.161 can be 
recovered as the intersection of a readable and a writable reference type: 



Hence ref+r and ref_r are both supertypes of refoT. It can also be easily shown that the 
readable reference type constructor is covariant, the writable reference type constructor is 
contravariant (Figure [7]), while the usual reference types are obviously invariant. For a 
variance annotation u G {o,+, — } we use refj^ to stand for the reference type constructor 
with this variance. 

Note that, strictly speaking, the set ref^T is not a semantic type since for our calculus 
locations are not values (although locations appear in object values {m(i=l(i}^^jy; see Sec- 
tion [2r2|)- In fact, the definition of object types (Definition 13.201 in the next section) will not 
depend on refj^r being a semantic type. However, in order for the object type constructor 
to yield semantic types, it is crucial that refj^r is closed under state extension. 

Proposition 3.19. If t is a semantic type, then ref^/T is closed under state extension. □ 
This is conceptually different from the immutable reference types modeled in i6 using singleton types. 



ref_r 



refoT = ref+r PI ref_r 
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3.5. Object Types. Giving a semantics to object types is much more challenging than for 
the other types. The typing rules from Section [2] indicate why this is the case. First, an 
adequate interpretation of object types must permit subtyping both in width and in depth, 
taking the variance annotations into account. Second, in contrast to all the other types we 
consider that have just a single elimination rule, once constructed, objects support three 
different operations: invocation, update, and cloning. The definition of object types must 
ensure the consistent use of an object through all possible future operations. That is, all 
the requirements on which invocation, update or cloning rely must already be established 
at object creation time. 

Before defining the object types, it is instructive to consider some simpler variants that 
do not fulfill all the requirements we have for object types. 

Our decision to store methods in the heap as procedures, together with the 'self- 
application' semantics of method invocation (Red-Inv in Figure [3|), suggest that object 
types are somewhat similar to recursive types of records of references holding procedures 
that take the enclosing record as argument: 

However, the invariance of the reference type constructor blocks any form of subtyping, 
even in width. A look at typing rules for subtyping recursive types, such as Cardelli's 
Amber rule [20] (which appears as rule SubRec in Figured]), suggests that the position 
of the recursion variable should be covariant. For instance, when attempting to establish 
the subtyping [mi : ri,m2 : T2] C [mi : ri] by the Amber rule one needs to show that 
refo(a — > ti) C refo(/3 ti), for any a and (3 such that a Q (3. Clearly this does not 
hold. Even in a simpler setting without the reference types {e.g., for the functional object 
calculus) the contravariance of the procedure type constructor in its first argument would 
cause subtyping to fail. 

A combination of type recursion and an existential quantifier that uses the recursion 
variable as bound would allow us to enforce covariance for the positions of the recursion 
variable, and thus have subtyping in width: 

[uid : Td\d(zD = fJ-{a).3a'Ca.{md : reioia ^ Td)}deD 

Intuitively a' can be viewed as the 'true' {i.e., most precise) type of the object, while a is 
a more general type that can be given to it by subtyping. This is essentially the idea of the 
encodings of object types explored by Abadi et al. [21 13]. 

For subtyping in depth with respect to the variance annotations we simply use the 
readable and writable reference types we defined in the previous section: 

[mrf -.y^ T-JdeD = Ai(a)-3a'Ca.{md : ref,,^(a' Td)}deD 

Still, by keeping a' abstract, neither the typing rule for method invocation (Inv in Figure[5]), 
nor the one for object cloning (Clone) is validated. 

By explicitly enforcing in the definition of object types that the object value itself in 
fact belongs to this existentially quantified a' , the assumptions become sufficiently strong 
to repair the invocation case. This is consistent with seeing a' as the 'true' type of the 
object. Semantically, we can express this using an intersection of types: 

7 

[m^ -.1,^ Td]d(,D = /t^(a)-3a'Ca.({md : ref,,^(a' ^ Td)}deD n a') 
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Forcing not only the current object value to be in a', but also all the 'sufficiently similar' 
values (maybe not even created yet), covers the case of cloning. The following definition 
formalizes this construction. 

Definition 3.20 (Object types). Let a = [m^ -.^^ Trf]^g£) be defined as the set of all triples 



(/;:, {me=/e}e6£;) such that D C E and 

3a'. a G Type A [a'J^, C [aj^ (Obj-1) 

A {yd G D. {k,^,ld) G ref,,(a' ^ u)) (Obj-2) 

A(Vj < fc.V^'. V{me=/;}^g^. (Obj-3) 



(k, VI/) □ (j, vl;') A (Ve G E. [^'\. {Q = [^\. (k)) 

The condition stating that D C. E ensures that all values in an object type provide 
at least the required methods listed by this type, but can also provide more. Clearly this 
is necessary for subtyping in width. Condition (Obj-1) postulates the existence of a more 
specific type a', the 'true' type of the object {me=4}ee^; (^P *° approximation k), and the 
subsequent conditions are all stated in terms of a' rather than a. Condition (Obj-2) states 
the requirements for the methods in terms of the reference type constructors introduced in 
Section 13. 4[ Since the existentially quantified a' might equal a, one must take care that 
(Obj-2) does not introduce a circularity. However, due to the use of approximation in the 
definition of the reference type constructors, the condition only depends on [a'J^, rather 
than a' . This will ensure the well-foundedness of the construction. 

As explained above, in order to invoke methods we must know that {m.(,=le} e<^E belongs 
to the more specific type a' for j < k steps (which suffices since application consumes a 
step). In the particular case where ^' is ^ and {me=/e}gg^ is {me=4}eg£; condition (Obj- 
3) states exactly this. We need the more general formulation in order to ensure that the 
clones of the considered object also belong to the same type a' . Therefore we enforce that no 
matter how an object value {me=/g}gg^ is constructed, it belongs to type a' provided that 
it satisfies the same typing assumptions as {me=4}egE) with respect to a possibly extended 
heap typing ^' . Allowing for state extension is necessary since cloning itself allocates new 
locations not present in the original ^, and also because cloning can be performed after 
some intermediate computation steps that result in further allocations. 

We show that this definition of object types actually makes sense, in that it defines a 
semantic type. This is not immediately obvious because of the recursion. 

Proposition 3.21. Ifra G Type for all d ^ D, then we also have that [nid -.y^ "^rfldgD ^ Type. 

Proof sketch. We must show (1) that [m^^ -.^^ 'Tj\^^j^ is well-defined, i.e., that the recursive 
definition is well-founded, and (2) that it is closed under state extension. 

To prove the well-definedness one can use general results about recursive types in step- 
indexed semantics [10], since the object type constructor is 'contractive'. Alternatively, 
from the observation that r = |J^ V^lk types r, it suffices to directly argue that 

Definition ESQ] defines [[m^ -.y^ TdldeDjfc terms of [[m^ -.y^ "^rfldeDjj < ^- ^he 

closure under state extension follows from the corresponding property of the types a' — > 
(Proposition l3.14[) and of the sets refy^(a' — > r^) (Proposition l3.19[l . and from the transitivity 
of state extension. □ 
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Let a = [nid r^l^g^. 

E 1= [m.d=^{xd)bd]d(^D ■ " (SemObj) 
S 1= a.nie : Tg (SemInv) 

(SemUpd) 

E 1= a.nie <^(a;)6 : a 
E 1= clone a : a (SemClone) 

(SemSubObj) 

[aid ■ 

(SemSubObjVar) 

Figure 8: Typing lemmas: object types 

Figure El presents the semantic typing and subtyping lemmas for object types. 

Lemma 3.22 (Object types). All the semantic typing lemmas shown in FigurelBi are valid 
implications. 

Proof sketch. The semantic typing lemmas are proved independently. We sketch this for 
(SemObj). A detailed proof, as well as the proofs of the other typing lemmas are given in 
the Appendix. 

For a = [uid '.y^ ''"dldgz) ^-iid assuming T,[xd := a] \= : for all d & D, we must 
show that T, \= [md=<^{xd)bd]ij^^£) ■ a- So let k > 0, a and ^' be such that a -.k,^ S. By 
Definition 13.81 (Semantic typing judgement) we must prove that a{[m.d='i{xd)bd]d^£)) '■k,'S' ct, 
or equivalently (after suitable a-renaming), that [nid=^{xd)cr{bd)]d^D -fc,* holds. Now let 
h, h' and b' be such that h -.^'^ and 

{h, [m,=,(x,)c7(6rf)],,^) -.^ {h',b') 

for some j < k, and assume that {h', b') is irreducible. From the operational semantics it is 
clear that j = 1, b' = {md=ld}deD that, for some locations Id ^ dom(h), 

h' = h [Id := Kxd)(^{bd)]deD 
Choosing ^' = [Id := (a '^d)]deD\k~i easily seen that (k,^) Q {k - 1,^'). Fur- 
thermore, from the hypothesis by (SemLam) we have that S |= \{xd)bd : a ^ Td for all 
d & D. From this and the assumption that h '.k ^ it follows that h' -.^-1 ^' ■ 

By Definition 13.61 it remains to establish that {k — 1,'^' , {md=ld}d^D) ^ ^- This is 
achieved by proving the following more general claim by induction on jq: 
Claim 3.23. For ah jo > 0, ^* and {Ta.d=ll} d^z^ ^^^^ that 

[k - 1, M/') □ (jo, ^*) A (VdGD. L**J^.^ {l*d) = [^'\^^ m (jo, L**J,o , {md=indeD) ^ « 

The key step is in choosing a' equal to [aj , then verifying the three conditions of Defini- 
tion [320] (Object types), where the inductive hypothesis is used for showing (Obj-3). □ 



(Vd e D. J:[xd a]^bd: t<j) 
(E ^ a : a A e G L» A i^e e {+, o}) 
(E^a:a A e e D A i^gG {-, o} 
A E[a; a] |= 6 : t^) 
E 1= a : a 

{E (ZD h (Ve eE.Vee {+, o} ^ ae C (3^) 
A (Ve eE.Vd^ {-, o} ^ /?e C Ue)) 
{yd e D. i/d^ o V i^d^ 1^'d) 
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Remark 3.24. In the above proof, establishing (A;— 1, {mrf=/rf}^g£,) G a directly does 
not seem possible, and the generalization to Claim \3.23\ arises naturally from a failed proof 
attempt: in order to prove the three conditions of Definition 13.201 a sensible choice for a' is 
a, and for E is D, after which (Obj-1) and (Obj-2) follow easily. But (Obj-3) requires 
us to show that {j, L^"J j ) {™rf=^d}dg_D) ^ -^^^ ^ ^' ^^^^ ^rf' ^^'^ extension "if" 

of with = [^'\. {Id). This is just what Claim [323] states. 

The fact that there is an inductive argument hidden in this proof does not come as a 
surprise: the induction on the step index jo resolves the recursion that is inherent to objects 
due to the self application semantics of method invocation. 

3.6. Bounded Quantified Types. Impredicative quantified types were previously stud- 
ied in a step-indexed setting by Ahmed et al. jHl E] for a lambda-calculus with general 
references, and we follow their presentation. However, unlike in the work of Ahmed et al. 
our quantifiers have bounds, and we are also studying subtyping. It is important to note 
that the impredicative second-order types were the reason why a semantic stratification of 
types was needed in the presence of general references [6], as opposed to a syntactic one 
based on the nesting of reference types [8]. In the setting we consider in this paper we need 
the semantic stratification not only to explicitly accommodate quantified types, but also 
because our interpretation of object types uses existential types implicitly. 

As in Appel and McAllester's work [10], a type constructor F (i.e., a function from 
semantic types to semantic types) is non-expansive if in order to determine whether a term 
has type F[t) with approximation fc, it suffices to know the type r only to approximation 
k. As we will later show (Lemma I3.33p . all the type constructors we define in this paper 
are non-expansive. 

Definition 3.25 (Non-expansiveness). A type constructor F : Type — > Type is non- 
expansive if for all types r and for all /c > we have that [-F(t)J^ = L^(L''"Jfc)Jfc- 

The definitions of second-order types require that V and 3 are only applied to non- 
expansive type constructors. The non-expansiveness condition ensures that in order to 
determine level A; of a universal or existential type, quantification over the types in PreTypef, 
suffices. This helps avoid the circularity that is otherwise introduced by the impredicative 
quantification. 

Definition 3.26 (Bounded universal types). If F : Type Type is non-expansive and 
a G Type, then we define V^-F by {k, ^, A. a) G V^-F if and only if 

Vj,^'. Vr. {k,^) □ (j,^') A T G Type A [r]^ C [aj . ^ Vi < j. a :,,l^,j^ F{t) 

Definition 3.27 (Bounded existential types). For all non-expansive F : Type — > Type and 
a G Type, the set 3q,F is defined by {k, ^, pack v) G 3q,F if and only if 

3t.t G Type A [rj^ C [aj;^ A Vj < k. {j, l^\j,v) G F{t) 

Proposition 3.28. If a G Type and F : Type Type is non-expansive, then V^-F and 3aT 
are also types. □ 



Proof sketch. The proofs are minor modifications of those given in [6] , to additionally take 
the bounds into account. □ 
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For all non-expansive F, G : Type Type, 

(Vr e Type, r C a ^ S h a : F(t)) =^ E |= A. a : V^F (SemTAbs) 

(E h a : VaF Are Type A t C a) =^ S |= a[] : i^(T) (SemTApp) 

(3r e Type, t Ca A E |= a : F(t)) =^ E |= pack a : B^F (SemPack) 

(E ^ a : 3„F A Vre Type. (SemOpen) 

r C a E[a; F(r)] |= 6 : /?) =^ E |= open a a,s x inb : f3 

(/3 C a A Vr e Tt/pe. r C /3 ^ F(r) C G(r)) =^ V„F C VpG (SemSubUniv) 

(a C /? A Vr e Type, r C a ^ F(r) C G(r)) =^ 3„F C 3pG (SemSubExist) 



Figure 9: Typing lemmas: bounded quantified types 



Lemma 3.29 (Bounded quantified types). All the semantic typing lemmas shown in Fig- 
ure \M CLfe valid implications. 

Proof sketch. The first four implications are proved as in [6] ; the additional precondition 
r C a in (SemTApp) and (SemPack) serves to establish the requirements for the bounds. 
The two subtyping lemmas (SemSubUniv) and (SemSubExist) are easily proved by just 
unfolding the definitions. □ 



3.7. Recursive Types. In contrast to most previous work on step-indexed models, we 
consider iso-recursive rather than equi-recursive types, so folds and unfolds are explicit in our 
syntax and consume computation steps. Iso-recursive types have been previously considered 
by Ahmed for a step-indexed relational model of the lambda calculus [7]. Iso-recursion is 
simpler, and sufficient for our purpose. As a consequence, we require type constructors to 
be only non-expansive, as opposed to the stronger 'contractiveness' requirement |10] . 

Definition 3.30 (Recursive types). Let F : Type Type be a non-expansive function. We 
define the set /iF by 

{k,^,Mdv) £ fj,F ^ Vi < k. {j,'^',v) £ F{nF) 

Proposition 3.31. For all non-expansive F : Type — > Type, fiF G Type is well-defined. 

Proof sketch. The well-definedness follows from the observation that [/^FJ ^ is defined only 
in terms of [F(/iF)J^- for j < k, which by the non-expansiveness of F means that ll^Fl^^ 
relies only on [nF\j. The closure under state extension is established by an induction, 
proving that for each k >0, L^i^J^ G Type. □ 

Figure [TOl presents the semantic typing lemmas for recursive types. As a consequence, 
we have the expected fixed point property \= a : F{fiF) <^ \= fold a : fiF. 

Lemma 3.32 (Recursive types). All the semantic typing lemmas shown in Figure [TU are 
valid implications. 

Proof sketch. The validity of (SemFold) and (SemUnfold) are easy consequences of Def- 
inition [3i30l For (SemSubRec), one shows by induction on k that [^-FJ^, Q L^GJ^, using 
the precondition of the rule and the non-expansiveness of F and G. □ 
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For all non-expansive F, G : Type Type, 



(Va, p.acp 



^^a: IJ,F 
S ^ a : F{jiF) 
> F{a) C G{I3)) 



S ^unfold a : 
S ^ fold a : fiF 
fiF C fiG 



(SemUnfold) 
(SemFold) 
(SemSubRec) 



Figure 10: Typing lemmas: recursive types 



iXj^ = r?(X) 
lTop}^ = ^ 



MX)Aj^ = f^iXaeType. M,[X:=«]) 
iy{X^A)Bj^ = ^lAl^iXaeType. iBj^^^.^^^^) 



m 



l3iX^A)Bj^ = 3^Aj^{XaeType. m,[X:=a]) 
Figure 11: Interpretation of types 



Lemma 3.33 (Non-expansiveness) . AH the considered type constructors are non-expansive. 

Proof sketch. It is easily seen that the definition of [a ^ uses only |_aj^- and [/3J^- for 
j < k, and therefore that [a — > /^J^ = \_[.ce\k ~^ [P\k\k- ^ similar statement holds for the 
A;-th approximation of quantified types V^F and 3aF, since their definition only depends 
on la\j and [F\j for j < k. In the case of object and recursive types, the properties 

[[md -.ua rdldenl k = [i^d -ua L-^dJfcldgLiJ ^ ^nd [//FJ^ = L/^L^J^J^ can be established by 
induction on k, using the non-expansiveness of F in the latter case. □ 



4. Semantic Soundness 

In order to prove that well-typed terms are safe to evaluate we relate the syntactic types 
to their semantic counterparts, and then use the fact that the semantic typing judgement 
enforces safety by construction (Theorem 13. lip . This approach is standard in denotational 
semantics. In fact, none of the main statements or proofs in this section mentions step- 
indices explicitly. 

Definition 4.1 (Interpretation of types and typing contexts). Let rj he a total function 
from type variables to semantic types. 

(1) The interpretation lAJ^ of a type A is given by the structurally recursive meaning 
function defined in Figure [TTJ 

(2) The interpretation of a well-formed typing context F with respect to r] is given by the 
function that maps x to lA}^, for every x:A € F. 

Note that in Figure[II]the type constructors used on the left-hand sides of the equations 
are simply syntax, while those on the right hand-sides refer to the corresponding semantic 
constructions, as defined in the previous section. 

Recall that non-expansiveness is a necessary precondition for some of the semantic 
typing lemmas. In particular, the well-definedness of lAJ^ depends on non-expansiveness, 
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due to the use of /i, V(.) and 3(.) in Figure[TTl So we begin by showing that the interpretation 
of types is a non-expansive map. 

Lemma 4.2 (Non-expansiveness). lAJ^^ is non-expansive in rj. 

Proof sketch. We show that lAJ = lAJi i holds by induction on the structure of 
A, relying on Lemma 13.331 for the non-expansiveness of the semantic type constructions. □ 

Definition 4.3 (ry N T). Let F be a well-formed typing context. We say that rj satisfies 
r, written as rj \= T, if ri{X) C lA}^ holds for all appearing in F. 

We show the soundness of the subtyping relation. 

Lemma 4.4 (Soundness of subtyping). IfT\-A^B and r] \= T then [vl]]^ C [[-BJ^. 

Proof sketch. By induction on the derivation of F h ^ ^ i? and case analysis on the 
last applied rule. Each case is immediately reduced to one of the subtyping lemmas from 
Section [3l □ 

Finally, we prove the semantic soundness of the syntactic type system with respect to 
the model. 

Theorem 4.5 (Semantic soundness). Whenever T \- a : A and i] \= T it follows that 

Proof sketch. By induction on the derivation of F h a : ^4 and case analysis on the last rule 
applied. Each case is easily reduced to one of the semantic typing lemmas from Section [3l 
using a standard type substitution lemma for derivations ending with an application of 
(Fold), (Unfold), (TApp), or (Pack). □ 

By Theorems 14.51 (Semantic soundness) and 13.111 (Safety), we have a proof of safety for 
the type system from Section 12.31 

Corollary 4.6 (Type safety). Well-typed terms are safe to evaluate. □ 



5. Self Types 

Self types have been proposed by Abadi and Cardelli [2] as a means to reconcile recursive 
object types with 'proper' subtyping. Self types are interesting because they allow us to 
type methods that return the possibly modified host object, or a clone of it. For instance, 
a type of list nodes, with a filter method that produces the sublist of all elements satisfying 
a given predicate, is 

ListA = Obj{X)[M -.o A, tl :„ X+ Unit, filter :+ {A Bool) -^X,...] 

Note that the similar recursive type 

/i(X)[hd :o A,tl -.o X+Unit,mteT :+ {A Bool) -^X,...] 

does not satisfy the usual subtyping for object types because of the invariance of the hd 
and tl fields. 
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Let a = [iRd -.i,^ Fd]d^j^ and /3 = [nig -.u^ Ge]^^E ^i^^ E Q D. 

{yd e D. T,[xd ■■= a] \= bd ■■ Fd{a)) =^ S |= [md==^(xd)6d]rfg_D : a 

(SemObj-Self) 

(S ^ a : a A e G D A i^e 6 {+, o}) => S |= a.nie : Fe{a) (SemInv-Self) 

(S^ata A eGD A Ve & {-, o} (SemUpd-Self) 

A\f£_Ca.j:[x:^£_]\^b:Fe{0) => \= a.iRe := ';{x)b : a 

E ^ a : a S |= clone a : a (SemClone-Self) 

(Ve G G {+, o} ^ C a. C 06(0) (SemSubObj-Self) 

A(i.ee{-,o}^VeCa. Ge(OCi^e(0)) =^ " ^ /3 

(Vd e D. Vd = ° V = I'd) [nid Fd]deD ^ ["^^ -I'd -Pd]dG-D 

(SemSubObjVar-Self) 



Figure 12: Typing lemmas: self types 



5.1. Semantics of Self Types. Abadi and Cardelli [2, Ch. 15] show how self types can be 
understood in terms of recursive and existentially quantified object types via an encoding. 
More precisely, the type Obj{X)[m(i -.y^ where X may occur positively in Bd, stands 

for the recursive type /Lt(y)3(X^y)[mrf -.^^ -Brf]^^^,. The bounded existential quantifier in- 
troduced by this encoding gives rise to the desired subtyping in width and depth, despite 
the type recursion. 

Since our type system features recursive and bounded existential types, self types could 
be accommodated via this encoding. However a treatment of self types can be achieved 
even more directly, without relying on the encoding. In fact, almost everything is in place 
already: recall that the semantics of object types (Definition I3.20p employs recursion and 
an existential quantification to refer to the 'true' type of an object. Condition Obj-2 in 
Definition 13.201 can be changed to take advantage of this type: 

Definition 5.1 (Self types). Assume : Type — > Type are monotonic and non-expansive 
type constructors, for all d £ D. Then let a = [nid -.^^ F^l^^j^ be defined as the set of all 
triples {k, {me=4}eg£;) such that DOE and 

3a'. a' G Type A [a'J^ C [aj^ (Obj-1) 
A (Vd € D. {k, ^, Id) G ref^^(a' ^ Fd(a'))) (Obj-2-self) 
A (Vj < k. V {me=Q^^j^ . (Obj-3) 
(k, M/) □ (j, v&O A (Ve G E. [^'\^ {Q = [^J^. (k)) 

As in Section 13.51 one shows that Definition 15.11 uniquely determines a type. In this 
proof, the non-expansiveness of the type functions F^ is necessary in order to ensure that 
[[uid -.ua Fdldfzolk is defined in terms of [[m^ -.^^ -Fdldg^Jj ^^"^ J < ^ only. Moreover, the 
proofs of the typing lemmas for object types (see Section IA.2I in the Appendix) carry over 
with minor modifications, to show that the semantic typing lemmas in Figure [T2] hold. Most 
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cases are obtained by replacing the result type by Frf(a') throughout the proof, for a' 
the existentially quantified type from condition (Obj-1) of Definition 15.11 The proof of 
(SemInv-Self) uses the monotonicity of Fg,, to conclude that the result of the invocation 
has type -Fe(a) from the fact that it has type Fe(a'), as given by condition (Obj-2-Self). In 
the proofs of (SemUpd-Self) and (SemSubObj-Self), the universally quantified ^ from 
the respective assumptions is instantiated by a' . Since (Obj-1) only gives that [a'J^, ^ [aj;. 
but not necessarily a' C a, these three proofs also use the non-expansiveness of in an 
essential way. Finally, given the non-expansiveness of each F^, an induction shows that 

[[uid -ua Fd]d(iD\k = It™'' '-^d L^dJfcldgDJfc fo'^ ah k. In ot her words, [m^ ^dl^gz), viewed 
as a type constructor, is non-expansive and Lemma 13.331 still holds. 

The interpretation of syntactic type expressions given in Figure [TT] extends straightfor- 
wardly to self types using the new type constructor: 

With this interpretation and the semantic typing lemmas from Figure [121 the soundness 
theorem from Section H] should extend to a syntactic type system for objects with self types 
similar to the one derived by Abadi and Cardelli [2], Ch. 15] for their encoding (but also 
including variance annotations and a typing rule for cloning). 



5.2. Limitations. Note that with the exception of SemUpd-Self, all the semantic typing 
lemmas for self types are stronger than their counterparts from Figure [HI This is already 
enough to typecheck many examples involving self types [21 Ch. 15]. 

However, as for the encoding of Abadi and Cardelli, when updating methods one usually 
does not have full information about the precise self type a' of the host object, which may be 
a proper subtype of a. Therefore the statement (SemUpd-Self) about method update in 
Figure [T2] includes a quantification over all subtypes of the known type a of the object a, to 
ensure that the updated method also works correctly for the precise type. As a consequence 
the new method body b must be sufficiently parametric in the type of its self parameter x, 
which can be overly restrictive. Abadi and Cardelli [2j, Ch. 17] demonstrate this limitation 
with an example of objects that provide a backup and a retrieve method: 

Bk = 06j(X)[retrieve :o X, backup '.o X, . . .] 

A sensible definition of the backup method updates the retrieve method so that a subsequent 
invocation of retrieve yields a clone of the current object x: 

backup{x) = let z = clone x in x. retrieve := 'i{y)z 

Here, the 'let z = a in 6' stands for the usual syntactic sugar {X{z)b) a. Let /3 = iBk}^ 
denote the interpretation of the syntactic type Bk. While the backup method has the correct 
operational behaviour, to typecheck the method update to x in its body using (SemUpd- 
Self) we would need the statement S [x:=/3, z:=/3, y:=^] \= z : But this statement does 
not hold for an arbitrary subtype ^ C /3. Therefore the semantic typing lemmas stated 
above are not strong enough to prove that T,[x:=f3, z:=P] \= x. retrieve := ^{y)z : /3, and 
thus that S [x:=/3] \= backup{x) : (3 holds for the method body. This prevents us from 
typing an object that contains this method (e.g., [backup = q{x)backup{x) , . . .]) to type (3 
using the semantic typing lemmas. 
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Abadi and Cardelli [21 Ch. 17] address this lack of expressiveness by modifying the 
calculus in two respects. First, they introduce a new syntax for method update, a.m. := 
(y, z = c)<^{x)b. Operationally this new construct behaves just like 

let y = a in let z = c in y.m := (;{x)b (5-1) 

but its typing rule is more powerful than the one induced by this encoding. When typing 
c and the method body b, y can be assumed to have the precise type of the object: 

A = Obj{Y)[md -.ua Md&D Tha:A e£D i^e G {-, o} 
r, Xi^A, y:Xhc:C T, Xi^A, y.X, z:C, x:X h b : A^ 

rha.m. := (y , z = cMx)b : A 

Second, in order to propagate this information, typing rules with 'structural' assumptions 
are introduced. For instance, the inference rule for object cloning takes the form 

r h clone a : A 

thus applying also in the case where A is a type variable. In this modified system, the body 
of the backup method can be rewritten as 

backup^^di^) = x. retrieve := (y, z = clone y)?(x)2; (5-2) 

and the judgement F, x:Bk h backup^f^^i^) : Bk is derivable. 

Even in the purely syntactic setting, the ad hoc character of the syntax extension is 
not entirely satisfactory, but for the step-indexed semantics of types both modifications are 
in fact problematic. First, although it seems reasonable to expect that all the semantic 
typing lemmas from Section [3] continue to hold, a change of the calculus and its operational 
semantics would require us to recheck the proofs about object types in detail. Fortunately, 
the syntax extension does not seem necessary from the semantic typing point of view; we 
can already prove the semantic soundness of rule (Upd-Self) with respect to the encoding 
of the new method update construct from (|5.ip : 
If a = [vnd -ua FdldeD^ e e D, and i^e G {-, °} then 

S ^ a : a A C q. S[y := ^] ^ c : 7 A C a. S [y := z := 7, x := ^ 6 : Fe(0 

=^ S ^ let y = a in let z = c in y.m := : a 

However, by itself this rule does not help in typing the body of the backup method, and the 
introduction of rules with structural assumptions presents a more severe difficulty. Sound- 
ness of these rules relies on the fact that every subtype of an object type is another object 
type. In other words, in the (Clone-Str) rule the type A is assumed to range only over 
object types. Such structural assumptions are usually not valid in semantic models, and 
they are certainly not justified with respect to our semantically defined subtype relation, 
which is just set inclusion. 



5.3. Self Types with Structural Assumptions. To sum up the previous subsection, the 
problem is that the semantic typing lemmas from Figure [12] are too weak to type certain 
examples such as the body of the backup method, but the usual way to strengthen these rules 
in a syntactic setting is not semantically sound in our model. Still, := P] \= backup{x) : (3 
is a valid typing judgement about the method body. This can be seen by taking a closer 
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Let a = [nid Fd]^^^. 

{VdeD. Vee Type. ^ < a ^ ^] ^ ba : Fd{0) =^ S h [^d^i{xd)bd]deD ■ " 

(SemObj-Str) 

(a' < a A E ^ a : a' A e e D A G {+, o}) ^^^^ S |= a. nig : i^e(a') (SemInv-Str) 

(a'oa A I]|=a:Q!' A eeZ) A i^eG {-, o} (SemUpd-Str) 

A J:[x := a']\^b: F^{a')) =^ E ^ "-me := ^(a;)6 : a' 

a' <\ a A E a : a' =^ E |= clone a : a' (SemClone-Str) 

E 1= a : a A (V^e Type. < a ^ Y.[x := £] ^ b : P) =^ E |= let .t = a in 6 : /3 

(SemLet-Str) 

Figure 13: Typing lemmas with structural assumptions: self types 

look at the semantic definition of the self type (3 = \B1^^: essentially, if for a suitable 
substitution a -.k^m S[x := (5] the substitution instance 

a{backup{x)) = let z = clone cr{x) in (t(x). retrieve := 

becomes irreducible in less than k steps, then a{x) must be an object value v = {'nid=ld}ci£D 
such that {k, "^jv) G (3. Property (Obj-1) of /3 asserts the existence of a type a' such that 
[a'Jfc ^ L/5Jfc) ^-^d property (Obj-3) entails that z becomes bound to a value v' of this type 
a' . Thus by (Obj-2-self) the eventual update of the retrieve field of v is valid, since the 
new method X{y)v' has the expected type a' — a' to sufficient approximation. 

Similar 'manual' reasoning seems possible in other cases, but a more principled ap- 
proach will let us use typing lemmas that are strong enough and avoid explicit reasoning 
about the operational semantics and step indices. To facilitate this, we develop a semantic 
counterpart to the structural assumptions that appear in the syntactic type system of Abadi 
and Cardelli [21 Ch. 17]. More precisely, we introduce a relation a' <\ a between semantic 
types that strengthens the subtype relation: intuitively a' is the precise, recursive type of 
some collection of object values from the object type a. The type a acts as an interface 
that lists the permitted operations on these object values. 

Definition 5.2 (Self type exposure). For a = [uid -.^^ -Pdldei? ^.nd a' £ Type the relation 
a' < a holds if and only if a' C a and for sdl E ^ D and {k, ^, {me=/e}eg£;) ^ ck'j 

(Vd G D. {k, Id) G ref,.,(a' ^ Fd{a'))) (Obj-2-self) 

A (Vj < A;. V^-'. V{me=/;}^g^. (Obj-3) 

(k, M/) □ (j, M/') A (Ve G E. [^'\^ {Q = \^>\^ {Q) 

^{j, [^'J^.,{me=C}^^^)Ga') 

Notice that a' <} a essentially states that a' is a type that can take the place of the 
existentially quantified 'self type' in an object type (see Definition 15. ip . It is immediate 
from this definition that a' <i a implies a' C a. Note however that < is not refiexive: in 
general, a' is not an object type {e.g., a' could be empty). Intuitively, the object type a is 
obtained as a union of such a' . 
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Figure [13] lists new typing lemmas for self types that exploit the relation <l. Compared 
to (SemInv-Self) and (SemClone-Self) from Figure [T2l the typing lemmas (SemInv- 
Str) and (SemClone-Str) use the additional assumptions a' < a and S ^ a : a' to 
establish a more precise typing for the result. Similarly, while (SemUpd-Self) universally 
quantifies over all C a in its premise, (SemUpd-Str) limits this to those ^ € Type for 
which ^ <\ a holds. Finally, (SemLet-Str) lets us use an object a within b with the more 
precise type ^ where ^ <\ a, and similarly (SemObj-Str) lets us type the method bodies 
under the more informative assumption that ^ < a. The latter two are the key lemmas to 
introduce an assumption a' <l a in proofs using these semantic typing lemmas. 

As an illustration, consider the example of the backup method again. In order to 
construct objects with the backup method, we will establish that 

V^G Type. ^ < /? ^ S[x := N backup{x) : ^ (5.3) 

holds, where /3 = [[-B/i;]]^ and backup{x) abbreviates 'let z = clone x in x. retrieve := <i{y)z^ as 
before. From this, by (SemObj-Str) it will follow that 

S \= [backup = ?(x)6ac^tip(x), retrieve = ...]: (3 

If we desugar the let construct in backup{x) and apply lemmas (SemApp) and (SemLam), 
we notice that in order to show (j5.3p it suffices to prove that S[3;:=,^] \= clone x : ^ and 
Tj[x:=S^, z:=S^] \= x.retrieve := (,{y)z : ^. Using ^ <l /3 and S[x:=^] |= a; : ^, the validity 
of the former judgement is immediate by (SemClone-Str). Similarly, the latter follows 
by (SemUpd-Str) from the fact that ^ < /? and since the retrieve method is listed with 
variance annotation 'o' in /3. 

Lemma 5.3 (Self types: lemmas with structural assumptions). All the semantic typing 
lemmas shown in Figure [T3 are valid implications. 

Proof sketch. The proofs of (SemInv-Str), (SemClone-Str), and (SemUpd-Str) are 
straightforward adaptations of those for (SemInv), (SemClone), and (SemUpd). As an 
example, we give the proof of (SemUpd-Str) as Lemma lA.lOl in the Appendix. More 
interestingly, (SemLet-Str) relies on the following property of object types a: 

{k,^,v)€a =^ 3a e Type, a' < a A {k - 1,1^ \^_^,v) e a' 

In the proof of (SemLet-Str), this a' is used to instantiate the universally quantified ^ 
in the premise ^ <] a E[x := ^] \= h : (3. The full proof is given as Lemma lA.121 in the 
Appendix. 

The proof of (SemObj-Str) is similar to the one of (SemObj) (Lemma [A. 41 in the Ap- 
pendix), except that we use the heap typing extension = [^^ [Id := (/3 — > Fd{f3))]^^jj\ 
where /3 is a recursive record type satisfying conditions (Obj-2-self) and (Obj-3), but not 
validating any subtyping property. In verifying that the extended heap is well-typed with 
respect to this one uses that /3 < a, in order to instantiate the assumptions on the 
method bodies and obtain T,[xd '■= P] \= bd ■ Fd{f3). Finally, to show that the generated 
object value has type a. Claim [3^231 is strengthened to show that the object value is in fact 
in /3, which is a subtype of a since (3 <\ a (see Proposition IA.14I and Lemma IA.15I in the 
Appendix for the full proof). □ 
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Remark 5.4. The implication T, \= a : a =^ 3a' £ Type, a' <\ a A \= a : a' 
for a = [mil '-Ud ^d\d£D appear reasonable (and would entail both (SemLet-Str) and 
(SemObj-Str)), but we do not believe that it holds. The problem is that, while the premise 
Ti\= a : a guarantees for each > the existence of a type a'^ that satisfies the requirement 
<l a, it is in general not possible to construct a type a' 'in the limit' from this sequence. 
For the same reason, the implication S \= pack a : 3qF 3a' C a. S ^ a : F{a') is not 

valid. The typing lemma (SemLet-Str) avoids this problem since a' is only needed up to 
a fixed approximation, and so the choice of for sufficiently large k suffices (c/. proof of 
Lemma I A. 121 in the Appendix). On the other hand, the (SemObj-Str) lemma avoids the 
problem by instantiating ^ with a particular type /3, for which /5 < a is already known. 

In this section we showed that our semantics of object types naturally extends to self 
types, while avoiding any change to the syntax and operational semantics of the calculus. 
We proved a first set of typing lemmas that are natural and apply to many examples 
(Figure [T2]) . These lemmas are however not sufficient to typecheck self-returning methods. 
To achieve this, we developed a second set of typing lemmas that involve the object's precise 
type, through the relation a' < a (Figure [T3|) . Note that these latter lemmas do not fully 
subsume the former ones, since the <1 relation is not refiexive. We leave open the problem 
of relating the lemmas in Figure [13] to a syntactic type system. 

6. Generalizing Reference and Object Types 

The semantics described in this paper generalizes the reference types from [6l [9] to readable 
and writable reference types. This can be generalized even further. We can have a reference 
type constructor that takes two types as arguments: one that represents the most general 
type that can be used when writing to the reference, and another for the most specific type 
that can be read from it [38]. This can be easily expressed using our readable and writable 
reference types together with intersection types: 

ref(r"',r^) = ref_r"'nref+r^ 

After unfolding the definitions, this yields 

ref(r-,r^) = \ [t^\, C [M/(/)J, C [r'^J J. 

As one would expect, this generalized reference type constructor is contravariant in the first 
argument and covariant in the second one: 

/3"'Ca"' A a^'C/?^ =^ ref(a"', a'') C ref(/3"', /?'') (SemSubRef-Gen) 

Note that, if one takes these generalized reference types as primitive, then the three reference 
types from Section [33] are obtained as special cases: 

refoT = ref(r, r), ref+r = ref(_L, r), ref_r = ref(r, T), 

and the subtyping properties from Figure [7] are still valid. 

Figures [TJ] and [15] give a graphical representation of the different reference type con- 
structors. In both figures the horizontal axis represents the type at which a reference can be 
read, while the vertical one gives the type at which it can be written. Notice that because 
of the different variance the read axis goes from _L to T while the write axis from T to _L. 

Figure [E] represents the usual, as well as the readable, and the writable reference types 
as points on the three edges of a triangle. Notice that the usual references can be read 
and written at the same type. Without additional information, the readable references 
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f(±,±) ref( ±,T^ /'^^(-^' T 




Figure 14: Readable/writable reference types 



Figure 15: Generalized reference types 



Let a = [mrf : (rj,r^)]^g^ and a' = [lUrf : (rrf,rd)]^go. 



(Vrf e i?. := a'] h 6d : r^) 

(S 1= a : a A e e D) 
(E h a : a A e G £> A E[a; := a] h & : ^1") 

E 1= a : a 

C A (Ve G E. Ca^ A ale /3;')) 



E 1= [md=<;ixd)bd\^^^ : a' (SemObj-Gen) 
E 1= a.uie : tI (SemInv-Gen) 
E |== a.me := ';{x)b : a (SemUpd-Gen) 
E 1= clone a : a (SemClone-Gen) 

[m,:(a:^,a5)],eDCK:(/3r,/3:)]ee£ 

(SemSubObj-Gen) 



Figure 16: Typing lemmas: generalized object types 



can only be written safely at type _L, and the writable ones can only be read at type T. 
Subtyping is represented by arrows: covariant on the edge of the readable reference types 
and contravariant on the writable reference types' edge. An invariant reference type can 
only be subtyped either to a readable or to a writable reference type. 

Figure [15] illustrates that our generalization of reference types is indeed very natural. 
When generalizing, we take not only the points on the edges of the triangle, but also the 
points inside it to be reference types. Furthermore, instead of having three different kinds of 
reference types, we only have one. Subtyping is also more natural: the set of all supertypes 
of a reference type cover the area of a rectangle which goes from the point corresponding 
to this reference type to the 'top' reference type ref(X,T). For instance, the dark gray 
rectangle in Figure [15] contains all supertypes of ref(r, r). 

Applying this idea in the context of the imperative object calculus leads not only to 
more expressive subtyping but also to simplifications, since the variance annotations are no 
longer needed. The extended object type [m^ : (tJ, r^) has two types for each method 
m^: rj is the most general type that can be used to update the given method, and is 
the most specific type that can be expected as a result when invoking the method. When 
defining the semantics of these generalized object types, the only difference with respect 
to Definition 13.201 (Object types) is that condition (Obj-2) is changed to use an extended 
reference type: 

Vd e D. {k, Id) G ref(a' ^ rj, a' r^). (Obj-2-Gen) 
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Let ^ = [m, : [A^^ , A^^)]^^j, and A' = [m, : {A^^Ad)]^^^. 

yd£ D.r,xd: A' hbd-. Ad T h a : A 

(Obj-Gen) r — ^ 7 (Clone-Gen) 



r h [md=<;{xd:A')bd] -.A' T h clone a : A 

Tha: A e€D T h a : A eeD r,x : Ah b : A"^ 

(Inv-Gen) — — (Upd-Gen) 



r h a.nie : F h a.nie := <;{x:A)b : A 

EdD yeeE.Th B'^ ^A^ Wee E.Th Al < Bl 



(SubObj-Gen) 



r h [m, : (^:^, AS)],,^ < K : (i?^ , ^I) leeE 
Figure 17: The typing rules for generalized object types 

Figure [16] presents the semantic typing lemmas that are validated by this definition of 
object types, while Figure [T71 gives the corresponding syntactic typing rules. Note that the 
complex and seemingly ad- hoc rules for subtyping object types given in Figure H] or in [2] 
are replaced by only one rule (SubObj-Gen). 

Lemma 6.1 (Generalized object types). All the semantic typing lemmas shown in FiaureWR 
are valid implications. 

Proof sketch. The proof of the subtyping lemma (SemSubObj-Gen) follows easily from the 
lemma for subtyping generalized reference types (SemSubRef-Gen above), and is therefore 
significantly simpler than when variance annotations are involved (see Lemma IA.16I in the 
Appendix). For all the other semantic typing lemmas the proofs are basically unchanged 
(see Section [A. 21 in the Appendix). □ 

Note that the generalization of object types presented in this section is orthogonal to 
the extension to self types from the previous section. The generalized object types lead to 
a type system that is both simpler and more expressive than the usual type systems for 
objects |2j. Our generalized object types directly correspond to the split types of Bugliesi 
and Pericas-Geertsen [1^, who have shown that these types are strictly more expressive 
than object types with variance annotations [19^ Example 4.3]. 



7. Comparison to Related Work 



7.1. Domain-theoretic Models. Abadi and Cardelli give a semantic model for the func- 
tional object calculus in [U [2]. Their type system is comparable to the one we consider 
here. Types are interpreted as certain partial equivalence relations over an untyped domain- 
theoretic model of the calculus. No indication is given on how to adapt this to the imperative 
execution model. 

Based on earlier work by Kamin and Reddy [30] , Reus et al. W2\ [13] construct 
domain-theoretic models for the imperative object calculus, with the goal of proving sound- 
ness for the logic of Abadi and Leino [4]. The higher-order store exhibited by the object 
calculus requires defining the semantic domains by mixed- variant recursive equations. The 
dynamic allocation is then addressed by interpreting specifications of the logic as Kripke 
relations, indexed by store specifications, which are similar to the heap typings used here. 
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Building on work by Levy [31j, an 'intrinsically typed' model of the imperative object 
calculus is presented in the second author's PhD thesis [H], by solving the domain equations 
in a suitable category of functors. However, only first-order types are considered. 

Compared to these domain-theoretic models, the step-indexed model we present not 
only soundly interprets a richer type language, but is also easier to work with. The way it 
is based on the operational semantics eliminates the need for explicit continuity conditions, 
and the admissibility conditions are replaced by the closure under state extension, which 
is usually very easy to check. All that is needed for the definition of iso-recursive and 
second-order types are non-expansiveness and the stratification invariant. What is missing 
from our model is a semantic notion of equality that approximates program equivalence. 
For reasoning about program equivalence in an ML-like language, Ahmed et al. [5] have 
recently developed a relational step-indexed model, and it could be interesting to adapt 
their work to an object-oriented setting. 

Recently proposed models for polymorphism and general references \15\ [T6\ [T7j suggest 
that an adequate semantics for imperative objects with expressive typing could in principle 
be developed also in a domain-theoretic setting. A detailed comparison between step- 
indexed semantics and domain-theoretic models would be useful, to make the similarities 
and differences between the two approaches more precise. 

It is interesting to see how the object construction rule (Obj) is proved correct in 
each of the models described above. In the domain-theoretic self-application models [41 1 
I42j . it directly corresponds to a recursive predicate whose well-definedness (i.e., existence 
and uniqueness) must be established. This proof exploits properties of the underlying, 
recursively defined domain, and imposes some further restrictions on the semantic types: 
besides admissibility, types appearing in the defining equation of a recursive predicate need 
to satisfy an analogue of the contractiveness property [36]. In the typed functor category 
model [44J , object construction is interpreted using a recursively defined function, and 
correspondingly (Obj) is proved by fixed point induction. In the step-indexed case, the 
essence of the proof is a more elementary induction on the step index, with a suitably 
generalized induction hypothesis (see Claim [31231 in the proof sketch of Lemma l3.22l on page 
[T8| or the full proof in the Appendix). 

7.2. Interpretations of Object Types. Our main contribution in this paper is the novel 
interpretation of object types in the step- indexed model. The step-index-induced stratifica- 
tion permits the construction of mixed-variance recursive as well as impredicative, second- 
order types. Both are key ingredients in our interpretation of object types. The use of 
recursive and existentially quantified types is in line with the type-theoretic work on object 
encodings, which however has mainly focused on object calculi with a functional execution 
model pj. 

Closest to our work is the encoding of imperative objects into an imperative variant 
of system F<^^ with updatable records, proposed by Abadi et al. j^. There, objects are 
interpreted as records containing references to the procedures that represent the methods. 
As in our case, these records have a recursive and existentially quantified record type. The 
difference is that two additional record fields are included in order to achieve invocation and 
cloning, and uninitialized fields are used to construct this recursive record. Subtyping in 
depth is considered in [3] only for the encoding of the functional object calculus. However, 
if one added to the target language the readable and writable reference types we use in this 
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paper, the encoding of the imperative object calculus would extend to subtyping in depth 
as well. 

In the typing rules for self types, the structural assumptions about the subtype relation 
play an important role [2j. In Section [5] we developed a semantic counterpart to such typing 
rules with structural assumptions, in order to deal with the polymorphic update of self- 
returning methods. This is, however, tailored specifically to object types. Hofmann and 
Pierce [26] investigate the metatheory of subtyping with structural assumptions in general, 
and give elementary presentations of two encodings of functional objects in a variant of 
System F< with type destructors. It may be interesting to see if a step-indexed model of 
this variant of System F< can be found. 

7.3. Step-indexed Models. Step-indexed semantic models were introduced by Appel et 
al. in the context of foundational proof-carrying code. Their goal was to construct more 
elementary and modular proofs of type soundness that can be easily checked automatically. 
They were primarily interested in low-level languages, however they also applied their tech- 
nique to a pure A-calculus with recursive types [10]. Later Ahmed et al. successfully 
extended it to general references and impredicative polymorphism [6l [9] . The step-indexed 
semantic model we present extends the one by Ahmed et al. with object types and subtyp- 
ing. In order to achieve this, we refine the reference types from [6] to readable and writable 
reference types. 

Subtyping in a step-indexed semantic model was previously considered by Swadi who 
studied Typed Machine Language [45]. Our setup is however much different. In particular, 
the subtle issues concerning the subtyping of object types are original to our work. 

The previous work on step-indexing focuses on 'semantic type systems', i.e., the seman- 
tic typing lemmas can directly be used for type-checking programs [9l [lOl [12]. However, 
when one considers more complex type systems with subtyping, recursive types or poly- 
morphism, the semantic typing lemmas no longer directly correspond to the usual syntactic 
rules. These discrepancies can be fixed, but usually at the cost of more complex models, like 
the one developed by Swadi to track type variables [EIH^. In Swadi's model an additional 
'semantic kind system' is used to track the contractiveness and non-expansiveness of types 
with free type variables. We avoid having a more complex model {e.g., one that tracks type 
variables) by considering iso-recursive rather than equi-recursive types. An equi-recursive 
type is well-defined if its argument is contractive, and some of the type constructors are not 
contractive in general {e.g., the identity as well as the equi-recursive type constructor it- 
self). On the other hand, an iso-recursive type is well-defined under the weaker assumption 
that the argument is non-expansive, and all our type constructors are indeed non-expansive 
(see Lemma l3.33p . It is then relatively straightforward to use the semantic typing lemmas 
in order to prove the soundness of the standard, syntactic type system we consider (see 
Theorem 14. Sh . 

7.4. Type Safety Proofs. Abadi and Cardelli use subject reduction to prove the safety 
of several type systems very similar to the one considered in this paper [2]. Those purely 
syntactic proofs are very different from the 'semantic' type safety proof we present (for 
detailed discussions about the differences see [101 HH]). Since type safety is built into the 
model, our safety proof neither relies on a preservation property, nor can preservation be 
concluded from it. 
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Constructing a step-indexed semantics is more challenging than proving progress and 
preservation. However, for our particular semantics we could reuse the model by Ahmed 
et al. and extend it to suit our needs, even though the calculus we are considering is 
quite different. So one would expect that once enough general models are constructed 
[e.g., [H [ini E]), it will become easier to build new models just by mixing and matching. 
Assuming the existence of an adequate step-indexed model, the effort needed to prove 
the semantic typing lemmas using 'pencil-and-paper' is somewhat comparable to the one 
required for a subject reduction proof. Since each of the semantic typing lemmas is proved in 
isolation, the resulting type soundness proof is more modular; the extensions we consider in 
Sections [5] and [6] illustrate this aspect rather well. According to Appel's original motivation, 
the advantages of step-indexing should become even more apparent when formalizing the 
proofs in a proof assistant [10] . 

7.5. Generalized Reference and Object Types. The readable and the writable refer- 
ence types we define in Section 13.41 and use for modeling object types in Section 13.51 are 
similar to the reference types in the Forsythe programming language |43j and to the channel 
types of [221 [35] . The generalization to a reference type constructor taking two arguments 
described in Section [6] is quite natural, and also appeared in Pottier's thesis [38], where 
it facilitated type inference by allowing meets and joins to distribute over reference types. 
This idea has recently been applied by Craciun et al. for inferring variant parametric types 
in Java [23] . 

The generalized object types we introduce in Section [6] directly correspond to the split 
types of Bugliesi and Pericas-Geertsen [19]. Split types are also motivated by type in- 
ference, since they guarantee the existence of more precise upper and lower bounds. In 
particular, Bugliesi and Pericas-Geertsen show that split types are strictly more expressive 
than first-order object types with variance annotations ^19t Example 4.3]. They establish 
the soundness of a type system with split types by subject reduction, with respect to a 
functional semantics of the object calculus. 

7.6. Functional Object Calculus. Our initial experiments on the current topic were done 
in the context of the functional object calculus [27]. Even though in the functional setting 
the semantic model is much simpler, both models satisfy the same semantic typing lemmas. 
Even more, the syntactic type system we considered for the functional calculus is exactly the 
same as the one in this paper, so all the results in Section [H directly apply to the functional 
object calculus: well-typed terms do not get stuck, no matter whether they are evaluated in 
a functional or an imperative way. It would not be possible to directly prove such a result 
using subject reduction, since for subject reduction the syntactic typing judgment for the 
imperative calculus would also depend on a heap typing, and thus be different from the 
judgment for the functional calculus. However, since we are not using subject reduction, 
we do not need to type-check partially evaluated terms that contain heap locations. 

8. Conclusion 

We have presented a step-indexed semantics for Abadi and Cardelli's imperative object 
calculus, and used it to prove the safety of a type system with object types, recursive and 
second-order types, as well as sub typing. We showed how this semantics can be extended 
to self types and typing lemmas with structural assumptions; and generalized in a way that 
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eliminates the need for variance annotations and at the same time simpHfies the subtyping 
rules for objects. 

The step-indexing technique is however not limited to type safety proofs, and has al- 
ready been employed for more general reasoning about programs. Based on previous work 
by Appel and McAllester [10], Ahmed built a step-indexed partial equivalence relation model 
for the lambda calculus with recursive and impredicative quantified types, and showed that 
her relational interpretation of types is sound for proving contextual equivalences [7]. Re- 
cently, this was extended significantly to reason about program equivalence in the presence 
of general references [5]. Benton also used step-indexing as a technical device, together with 
a notion of orthogonality relating expressions to contexts, to show the soundness of a com- 
positional program logic for a simple stack-based abstract machine [13j. He also employed 
step-indexing in a Floyd-Hoare-style framework based on relational parametricity for the 
specification and verification of machine code programs [14j . 

We hope that our work paves the way for similarly compelling, semantic investigations 
of program logics for the imperative object calculus: using a step-indexed model it should 
be possible to prove the soundness of more expressive program logics for this calculus. 
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Appendix A. 

A.l. Auxiliary Propositions. 

Proposition A.l (Preorder). The state extension relation, C, is reflexive and transitive. □ 
Proposition A. 2 (Information-forgetting extension). If j < k then (A;,*) C {j, L*Jj)- D 

Proposition A.3 (Relation between {k,'^,v) G r and v ik,^ r). Let v be a closed value. 

(1) // {k, ^,v) G r then v '.k,^ t- 

(2) If V T, k > 0, and there exists some h such that h :k ^, then {k,^,v) € r. □ 
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A. 2. Typing Lemmas for Object Types. 

Lemma A. 4 (SemObj: Object construction). For all object types a = [m^ ^dj^g^), if 
for all d £ D we have T,[xd := a] \= bd : r^, then S \= [md='i{xd)bd]d^£) ■ a- 

Proof. Let a = [md '-u^ '^dldgD assume that Vd G D. ^[xd '■= a] \= bd : Td- We must 
show that S \= [md=<;{xd)bd]d^£) ■ ol. Thus, let A; > 0, a be a value environment and ^ be 
a heap typing such that a S. By the definition of the semantic typing judgement (Def- 
inition [3i8|) we need to show that cr([mrf=?(xrf)6rf]^g£,) r^^^ a. Equivalently (after suitable 
a-renaming), we show that 

[md=?(xrf)cr(6rf)]^g^ a 
Suppose J < /c, /i, h! and b' are such that the following three conditions are fulfilled: 

h-k^ A {K\^d=^{xd)a{bd)\d^j,) ih! ,b') A (A.l) 

By the operational semantics Red-Obj is the only rule that applies, which means that 
necessarily j = 1 and for some distinct Id dom{h) we have b' = {iaid=ld}d^D 

h' = h[ld:=Xixd)a{bd)]d^D (A.2) 

We choose 

^'=[^[ld:=ia^rd)]d^^\,_^ (A.3) 

and show that 

(A:,^) E (fc-1,^0 A h'-.k-i"^' A {k-l,^',b') ea (A.4) 

That the first conjunct of (IA.4I) holds is immediate from the construction of "if' (IA.3|) . 
In order to show the second conjunct, by Definition 13.51 (Well-typed heap) we first need 
to show that dom(^') C dom[h'). From the first conjunct of (jA.ip and Definition 13.51 it 
is clear that dom{'^) C dom{h). Thus from the shape of h' ()A.2p and the definition of ^' 
()A.3P we obtain the required inclusion. 

Next, let z < A; — 1 and / E dom{^'). To establish h' ^' in ()A.4p we now need to 
show that (i, [^''J^ ,h'{l)) £ ^'(0- We distinguish two cases: 
• Case / = Id for some d £ D. From ()A.2|1 and (IA.3jl respectively we get that 
h'{l) = X{xdMbd) A ^'(0 = [a ^ Trfjfc.i 
Thus we need to show that 

{i,[^'\.,\{xd)a{bd)) G L«^T,J,_i (A.5) 

By SemLam in Figure [6] (Lemma 13.15^ and the assumption := a] ^ 6^^ : we 
already know that S |= X{xd)bd : a ^ Td for all d £ D. From this and a :k,^ 5] by 
Definition 13.81 (Semantic typing judgement) we obtain 

Md G D. X{xd)cr{bd) :fc,* a Td (A.6) 

Since k > 1 and from ()A.ip h-.k'^, Proposition IA.3I shows that ()A.6P implies 

Vd G L». (fc, ^, A(xd)a(6d)) G a ^ Trf (A.7) 

By Proposition IA.2I we get that [k — 1,^'') !^ (i, [^''JJ, which together with the first 
conjunct of ()A.4p and the transitivity of 1^ yields (A;,^') C (f, [^''Jj). Since each a ^ Td 
is closed under state extension, the latter property and ()A.7p imply the required ()A.5p . 
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• Case / € dom(^'). From (IA.2I) and (IA.3|) respectively we get that h'(l) = h{l) and 
= [^'(/)J^_i, so we actually need to show that {i, L^'Jj,^(0) ^ L^(OJfc-i- From 
h-.k'if (|XT|) by Definition ES] we get that {k-1, L^'Jfc_i , h{l)) € ^'(/). Since ^(l) is closed 
under state extension and {k - 1, L*Jfc-i) E (i, [^'JJ, we obtain {i, [^f'J • , G ^{l). 
Finally, we need to show the third conjunct of ()A.4p . i.e., {k — 1, {ind=ld}deD) ^ 
To this end, we prove the following more general claim: 
Claim: For all Jq > 0, for all ^'o and for all {md=l'j}^^j^ 

{k-l,^')r{j,,^,) A (ydGD. [^,\^^{Q=[^^>'\^^{k)) 

(jo, L^oJ,„ , {md=l!i}^^^) G a (A.8) 

From this and L^'Jfc-i = (|A.4p follows by taking jo = k - 1, = and l'^ = k for 
all (i G -D, and by observing that C is reflexive (Proposition I A. l]) . 

The claim is proved by complete induction on Jq. So assume jo > and ^'o are such 

that 

(A:-1,M/') E (io,^o) (A.9) 
Moreover, for all d G .D let l'^ G rfom(^'o) such that 

WgD. [^,\.^{l',)=[^'\^^{la) (A.IO) 

We show that (jo, L^oJ ; {™rf=^d}deD) ^ checking that all the conditions obtained 

by unfolding the definition of a = [m^ -.^^ ''"rfldgD hold. Choosing a' = yields (Obj-1): 

3a'. a' G Type A [a'\.^ C [aj (A.ll) 

Next, by the construction of in ()A.3p . together with (jA.Op . (jA.lOp . and the non- 
expansiveness of procedure types, it follows that for all d G -D 

L^oJ = [^'\ ,„ {Id) = L« - = la\. ^ r, . =[a'^ t,\ ^.^ (A.12) 



By the definition of reference types (Definition I3.16P this implies that 

Vd G D. (jo, [^o\j, , I'd) G refo(a' ^ r^) (A.13) 

By the lemma for subtyping variance annotations (SemSubVarRef in Figure [7]) we then 
obtain property (Obj-2): 

W G D. (jo, L^oJ.o , I'd) e ref,,(a' ^ r^) (A.14) 
Finally, we must prove (Obj-3), i.e., that for all j < jo, ^'i and {mrf=/^'}^g^ 

(jo,^'o) E (j,^i) A (yd G z). L^ij^. (/^) = L^oJ, (/^)) 

^ (j,L^iJ,,{mrf=/J}^^^) Ga (A.15) 

Note that this last condition holds trivially in the base case of the induction, when jo = 0. 
So assume j < jo and ^'i and I'J^ are such that (jo, ^'o) E (j, ^'i) and [^ij^- (I'J) = [^o\j (I'd) 
for all d G D. Now j < jo and assumption (lA.lOp yield that for all d G D 

L^iJ, (O = L^oJ, (I'd) = [m,, {i'd)\^ = [[*Xo (Wj^. = L^'J, (W 
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Moreover, from {k - 1,"^') Q (io,^o) (|A.9j) and (io,*o) E (j, by the transitivity of C 
we have that {k — 1, '^') C (j, 'I'l). Since j < jo, the induction hypothesis of the claim gives 

(j, [^ij^. , {md=/J}^g^) G a 

and we have estabhshed (jA.lSh . 

By Definition 13.201 apphed to the object type a = [m^ -.^^ ^dld^D properties D C. D, 
fOTl) . ([Alii) , and (lAl5l) estabhsh that indeed (jo, L^ojjo , {md=^d}deD) ^ ^^^^ finishes 
the inductive proof of claim (jA.Sp . and the proof of the lemma. □ 

Lemma A. 5 (SemInv: Method invocation). For all object types a = [nid -.^^ 'Td\deD ^''^^ 
for all e (z D, ifY,\=a:a and v^. G {+, o}, then S |= a. me : Tg. 

Proof. Let a = [m^ -.^^ '^d\deD- assume that e G D, Ue G {+, o}, and T, \= a : a and show 
that S \= a. me : t^. To this end, let A; > 0, o" and ^ such that a i^^ij, S. From T, \= a : a hy 
Definition 13.81 we get that 

a{a) -.k^^ a (A. 16) 

We need to show that a{a).me :k,qi t^. Thus, let j < k, and consider heaps h and h' and a 
term b' such that the following three conditions are fulfilled: 

h-.k"^ A {h,a{a).me) {h',b') A {h',b')^ (A.17) 

From the second and third conjunct of ()A.17p by the operational semantics we have that 
for some i < j, h* and b* 

{h,a{a)) {h*,b*)^ A {h\b\iii) {h' ,b') (A.18) 

From the first conjunct together with (IA.16P and the first conjunct of (lA.lTh . by Defini- 
tion [3i6] it follows that there exists a heap typing ^* such that 

{k,-^)Q{k-i,-^*) A h* -k-i-^* A GQ= [m^:,, rrf]^g^ (A.19) 

By the definition of object types, the latter shows that there exists C and a' such that 
b* = {me=/e}cec' ^ ^ C* and (Obj-1) and (Obj-2) hold: 

a' ^ Type A H,_. C[aJ,_. (A.20) 
\Jd^D.{k-i,^\h) ref,, {a' ^ r^) (A.21) 
as well as (Obj-3): for all jo < k — i, all ^' and all {mc=/e}cGC' 

{{k - i, Q {jo, A Vc € C. [^'\.^ (/^) = L^*J^.^ ik)) ^ (jo, [^''J^.^ , {me=/;}^^^) e a' 

(A.22) 

From e e D and i^e G {+,0} using (|A.21|) we deduce that L**Jfc-j (^e) ^ ^ "^elk-i- So 
by expanding the definition of h* -.k-i ^* from (IA.19|) for k — i — 1 < k — i we have 

{k-i-1, , h*{Q) G [a' ^ TeJ (A.23) 

By the definition of the procedure type a' — > this means in particular that h*{le) must 
be an abstraction, i.e., for some x and a', h*{le) = X{x)a'. Thus, since {mc=/c}cec' ^ CVal 
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and e G D C C, by (|A.18j) . Red-Ctx, Red-Inv, Red-Beta and the operational semantics, 
we obtain a reduction sequence of the form 

{h,a{a).me) (/i*, {mc=/c}cec -^e) 

^(/i*,(A(x)a') {mc=/c}cgc) 

^i-'-^ {h', h') 

Since k — i — 2<k — ihy Proposition IA.2I we have that 

{k-i,^*)r{k-i-2,[^*\,_^_,) (A.25) 

We can now use the property (Obj-3) of the object type a: we instantiate ()A.22p with 
I'c = ^c, jo = k - i - 2, and ^' = [^'*Jfc_j_2 to obtain 

{k-i-2,l^*\ , {m,=/e},gc) e a' (A.26) 
From this using (1A.23|1 and from the definition of procedure types, it follows that 

{x ^ {mc=/c}cgc}(«') :fc-i-2,L**Jfe_,_2 
On the other hand, the second conjunct of (jA.lOp implies 

by Definition [331 Proposition lA. 21 and the closure of types under state extension. Moreover, 
by (1X241) . {h\ {x ^ {mc=/ c},gg }(aO) ^^-'-^ {h' , b'), which by ^AJTl is irreducible. This, 
combined with ()A.28p and ()A.27p , by Definition 13.61 means that there exists ^" such that 

(fc-i-2,[vI/*J,_^_2)E(A:-j,^") A h'-.k-j^" A {k-j,^f",b') ere (A.29) 

From the first conjunct above, the first conjunct in ()A.19p . and (|A.25p . using the transitivity 
of state extension we obtain 

{k, '^)Q{k- j, (A.30) 

From (|A.17p . ()A.30p . and the second and third conjuncts of ()A.29p . by Definition 13.61 we 
can conclude that a{a).me '-k,^ Te holds. This is what we needed to show. □ 

Lemma A. 6 (SemUpd: Method update). For all object types a = [rn^ ij^^ ''"rflds-D o,f^d for 
all e ^ D, ifTi\=a:a and S[x := a] \= b : and S {— , o}, then E |= a. me := ?(x)6 : a. 

Proof sketch. The proof is similar to that of Lemma lA.51 (Method invocation) . The existence 
of some such that 

{h,a{a).me ■= ?(x)ct(6)) {h* , {me=le}^^E -"^e ■= ?(x)(j(6)) 

with {k,^) □ (k - j,-^*), h* -.k-j and {k - j,'^* , {me=le}^^E) ^ " follows from the 
existence of a corresponding reduction sequence {h,a{a)) -^^ {h* ,{me=le}^^E)- Since the 
only reduction from {h* , {me=/e}eg£; -^e '■= ^{^)(^ib)) is by (Red-Upd) and results in the 
configuration {h' , {me=4}eg£;) where 

h' = h* [le := \{x)a{b)] (A.31) 

the proof of the lemma is essentially a matter of showing that h' -k-j-i L^*Jfc-j-i- 
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First, note that dom{^*) C dom{h') = dom{h*) holds, by h* -.k-j ■ Next, let 
i < k — j — 1, and let / G dom{^*). It remains to show that 

{^,l^*U,h\l))e[^*{l)\,_^_, (A.32) 

Note that by the definition of {k — j, ^* , {me=le}^^^) G a (Definition I3.20p it follows that 
there exists a' G Type such that [a'J^,_j ^ [a\)^_j, that D E, and that 

yd G D. {k-j,^*,ld) G ref,,(a' ^ r^) (A.33) 

We now prove (IA.32[) by a case distinction on the location /: 

• Case / = le- From (|A.3ip we have that h'{le) = X{x)a{b). Since e & D Q E and 
i^e £ {— by assumption, (|A.33p yields [a' '^e\k-j ^ L^*Jfc_j (^e)- Since [a'\k_j ^ 
[aj^_j, the subtyping lemma (SemSubProc) and the non-expansiveness of procedure 
types yield [a ^ TeJ^_j C [^'*J^_^. (/g). The monotonicity of semantic approximation 
therefore entails 

L«^reJ,_^._iC [vl/*j^_^._^(y (A.34) 

Additionally, the assumption T,[x := a] \= b : gives X{x)a{b) :k~j,^* a — ^ ^e- Since 
< i < k - j and h* -.^-j Proposition IA.3I vields {k - j, ^*,X{x)a{b)) € a ^ Tg. By 
the closure under state extension, this implies {i, [^'*Jj , X{x)a{b)) a ^ Tg, from which 
(1X32]) follows by ([Oil) . 

• Case I le- This case is easier since the value in the heap does not change for this 
location, i.e., h'[l) = h*{l), so the result follows from the closure under state extension of 
^'*(0- □ 

Lemma A. 7 (SemClone: Object cloning). For all object types a = [m^ '.^^ t^]^^^, if 
T, \= a : a then S |= clone a : a. 

Proof sketch. The proof is similar to that of Lemma IA.6I (Method update). Assuming 
a ifc^ij- S and h -.^ ^ such that (/i, clone a{a)) halts in fewer than k steps, by appealing to 
the operational semantics and the assumption that Ti \= a : a one obtains the existence of 
some ^* such that 

(/i, clone cT(a)) — ^-^ (/i*, clone {m.e=le} ^^e) ~^ (^';^') 

with (A;, ^) E (A: - j, ^*), h* -.k-j ^* and {k - j, {me=le} e^^E) ^ Since the only re- 
duction from (/i*, clone {me=/e}eg£;) is by (Red-Clone) it is clear that for some (distinct) 
^ dom{h*) we have 

h> = h*[l',:=h*{Q]^^^ A 6' = {me=/^}^^^ (A.35) 

If we set ^' = L^-* [I'e ■■= ^'*(/e)]eg£;J ^.^.^ then it follows that (fe, *) E (A: - j - 1, ^''), and 
to establish the lemma it suffices to prove 

h' -.k-j-i ^' A {k-j- 1, ^>', {me=/^}^g^) G a (A.36) 

Observing that dom{^') C dom[h') is satisfied, the first conjunct is proved by showing 
that (i, , /i'(0) G [^''(/)Jfc„j_i holds for alH < A; - j - 1 and ah / G dom(^')- This is 
done by a case distinction on whether I G dom{^*) or / = /g for some e. In both cases, the 
relation follows from h* '.k-j ^* and the closure under state extension of types. 

As for the second conjunct of (|A.36p . we note that ^' is constructed from ^* such 
that [^'{Q\k-j-i = [^*{le)\k-j-i holds for ah e G ^. Therefore, by unfolding the 
definition of the object types for {k — j,'^* ,{m.e=le}(,eE) ^ condition (Obj-3) allows 
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US to conclude that {k — j — 1, , {me=l'f,} ^^^) G [o^lk-j-i- Then the required 

{k - j - 1, {me=/e}eg£;) ^ « follows from the fact that = ^' holds by defini- 

tion of and that [a;J^_ C a. □ 



A. 3. Subtyping Lemmas for Object Types. 

Lemma A. 8 (SemSubObj: Subtyping object types). E C D and for all e G E if 

Ue G {+) o} then C /?£ and if v^, € { — ,o} then (3e C imply that [m^ -.^^ ctdj^^D Q 

[me '-ue Pe\e£E- 

Proof. We denote a = [m^ '-u^ <^d]d£D 1^ ~ [™e '^^e Z^elegB- We assume that E C D and 

Ve e ^. (l/e G { + , o}^ae<Z Pe) A (l/e G o} ^ /3e ^ Og), (A.37) 

and prove that for all heap typings ^, for all values v and all A; > 0, if {k,'^,v) € a then 
{k,^,v) £ P, by complete induction on k. The induction hypothesis is that for all j < /c if 
(j, G a then (j, G /?, or equivalently [aj^ C 

If we assume that {k, ^, v) G a, then by the definition of a (Definition I3.20p we have 
that V = {mc=/c}cgc'' D Q C and there exists a' G Type such that [a'J;- C [aj^ and 

Vd G D. {k, ^, Id) G ref^^(a' ^ a^) (A.38) 

Moreover, condition (Obj-3) holds with respect to a, i.e., for all j < k, all ^' and all 

{me=Ze}eeii; such that {k,^) □ (i,^''), 

(Ve G E. L^'J^. (/;) = L^J^. (/e)) ^ (j, [^''J^. , {me=/^}^g^) G a' (A.39) 

From E Q D and D C C by transitivity E <^ C. From [a'J^, ^ [aj^ and the induction 
hypothesis [aj^ C [/3J^ we get that [a'J^ C [/3J^, i.e., (Obj-1) holds. Moreover, ()A.39|1 
entails that condition (Obj-3) also holds with respect to the object type (3. So in order 
to conclude that {k,'^,v) G /3, and therefore that a C /3, all that remains to be proven is 
condition (Obj-2): 

VeGS. {k,^,le) £veU,ia' ^ f3e) 
For this, we choose some e m E and do a case analysis on the variance annotation Vg. 

• Case Ue = +. By (|X37l) we deduce that cte ^ /^ej thus by the covariance of the procedure 
type constructor in its second argument (SemSubProc in Figure [6]) we get that a' — > 
«e ^ «' ^ Pe- But since E C D from ()A.38P we know that (fc, G ref+(a' —>■ Ue). 
Since the type constructor ref+ is covariant (SemSubCovRef in Figure [Tj) this implies 
(A:,^',le) Gref+(a'^/3e). 

• Case Ve = —■ Similarly to the previous case, ()A.37p gives us that /?e C ag. Again by 
the covariance of A^.o;' — > (SemSubProc) we infer that a' — > /3e C a' — > Og. From 
(lA.38jl {k,'i>,le) G ref_(a' —f Oe), so by the contravariance of ref_ (SemSubConRef in 
Figure E]) we get that {k, ^,1^) G ref_(a' /?e). 

• i/e = o. Now (|A.37p entails that = Pe- Since {k,'^,le) G refo(Q!' Og) by ()A.38p we 
immediately obtain that also (/c, Zg) G refo(a' j3e). □ 
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Lemma A. 9 (SemSubObjVar: Subtyping object variances). If for all d € D we have 
= o or Ud = ly'a then [rud -.ua ^dldgD ^ ['^d -u'^ Td]deD- 

Proof. The proof proceeds similarly to the proof of Lemma IA.8[ Let us denote a = 
[m.d -.y^ Td]rfg£) and a' = [m^ :^/^ T^daD- We assume that 

'id ^ D. Vd = ° V Vd = v'd (A.40) 
Let ^ and v be arbitrary. We prove that for all /c > 0, if (A;, ^ ,v) G a then (fc, ^ , v) G a', 

by complete induction on k. The induction hypothesis is that for all j < k \i {j,'^,v) G a 

then {j,'i^,v) G q', or equivalently [a\f^ C [a'J^. 

Assume that {k,^,v) G a, then by the definition of a we have that v = {me=/e}egE) 

D ^ E, and there exists a type a" such that [0;"]^ ^ [aj^ and 

Vd G D. {k,^,ld) G ref,,(a" ^ r^) (A.41) 

Moreover, condition (Ob J- 3) holds. 

From [a"\f^ C [aj^ and the induction hypothesis [aj;^ C [a'J^, by transitivity we get 
that [a"\j^ C [q'J^,. This choice of a" also shows that (Obj-3) holds for (A:,^',t;) with 
respect to a'. So in order to show that {k,'^,v) G a', and therefore that a C a', all that 
remains to be proven is that: 

WeD. (A;,^,Zrf) Gref,,(a"^Td) 

We show this by case analysis on the disjunction in ()A.40p . Both cases are trivial: 

• Case Ud = o. From ()A.4ip and refo(a" Td) C ref^,/ (a" — > r^) (SemSubVarRef in 
Figure E]) it is immediate that (A;, ^, Id) G refj^/ {a" — > r^). 

• Case Vd = v'd-, then the required statement is the same as ()A.4ip . □ 



A. 4. Typing Lemmas with Structural Assumptions for Self Types. 

Lemma A. 10 (SemUpd-Str: Method update with structural assumptions). For all object 
types a = [rud -u^ Fdld^D ^^'^ ^ ^ Type such that a' <] a, if e & D, G {—,0} and 
S 1= a : a' and Y\x := a'] \=h : Fe{a'), then S |= a. me := ?(x)6 : a' . 

Proof. The proof is an adaptation of the proof given for Lemma IA.6I (Method update) 
above. Assume a = [m^ -.^^ -^rfldgD' e G -D, and G {—,0}, and let a' G Type such that 
a' <\ a. Moreover assume that T, \= a : a' and T,[x := a'] \= b : Fe{a') hold. We show that 
S 1= a. me := ?(x)6 : a'. 

Let A; > 0, o" be a value environment and ^' be a heap typing such that a :fc ,j, S. We 
must prove that a{a.me := ?(x)6) :fc^^ a', so let h and j < A; be such that 

/i:fc^ A (/i,cj(a).me := ^(x)fT(6)) ^■'^ (/i',a') A (/i',a')-^ (A.42) 

By the operational semantics, this sequence is induced by {h,a{a)) ^* {h",a") for i < j 
and some h" and a", and by the assumption \= a : a' there exists some ^" such that 

{k,^)r{k-i,^") A /i":fc_. A {k-i,^",a") ea' Q[md:u,Fd]a^^ (A.43) 

In particular, a" is of the form {me=Ze}eg£; foi' some E ^ D, and by the operational seman- 
tics (/i",a".me := <^{x)a{b)) — {h',a"). In particular, a' is a" and h' is /i"[/e A(x)cr(6)]. 
By choosing = [^'''J^^^, the first and last conjuncts of ()A.43P yield 

(A;, ^') □ (A; - J, A (A; - j, a") G a' 
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by Proposition [A]2] and transitivity, and by closure under state extension of a'. To establish 
the lemma, it remains to show that h' ^' . For / G dom[^') — {/g} this follows from the 
second conjunct of ()A.43P by the closure under state extension. The interesting case is when 
I = le and we must prove h'{l) = X{x)a{h) -.k-j ^'(0- Since a' <\ a and {k — j,'^',a") € 
a', condition (Obj-2-self) in Definition 15.21 (Self type exposure) yields {k — jj'^'Je) € 
refjy^(a' — > Fe{a')). By assumption, G {~;°} so ^''(/) 5 [a' — > Fe{a')\j^_j holds by the 
definition of refj^^. Hence it suffices to prove that 

A(x)cr(6) a' Fe{a') 

which follows from the assumption Ti[x := a'] \= b : Fe{a'). □ 

Proposition A. 11 (Self type exposure). Let a be a self type and suppose {k,'^,v) € a. 
Then there exists a" G Type such that a" <\ a and {k — 1, [^'J^_;^ ,v) G a". 

Proof. Suppose G a = [m^ Fd]^^jj- By Definition 15.11 (Self types), this means 

that there exists a' G Type such that [a'J^ C [aj;^ and conditions (Obj-2-Self) and (Obj- 
3) are satisfied. Choosing a" = [a'J^, it is clear that a" <l a since all the conditions only 
rely on a' to approximation k. Moreover, by instantiating ^' = ^ and {me=^e}eG-E = v in 
(Obj-3) we obtain that {k — 1, [^'J^_;^ ,v) G a". This proves the proposition. □ 

Lemma A. 12 (SemLet-Str: Introducing structural assumptions). Let a = [nid -.j^^ ^dldeo 
and suppose that \= a : a and that S[x := ^] \= b : f3 for all ^ G Type with ^ < a. Then 
T, \= let X = a in b : p. 

Proof. Let a = [nid -.y^ -Fd]^^^) and suppose that T,\= a : a and that S[x := ^] \= b : f3 for all 
G Type with ^ < a. We must show that S |= let x = a in 6 : /3. Thus, let k > 0, ^ and a 
be such that a -.k^qi S. By the definition of the semantic typing judgement (Definition 13. Sp 
we must show that o"(let x = a in b) r^^^r /3, or equivalently (after suitable a-renaming and 
removing the syntactic sugar) that 

(A(x)(t(6)) a{a) -.k,^ (3 

Suppose j < k, h, h' and b' are such that 

h-.k"^ A {h,{X{x)a{b)) a{a)) {h',b') A {h',b')^ (A.44) 

From the second and third conjunct of ()A.44p by the operational semantics we have that 
for some i < j < k, some h" and some ^" , 

{h,a{a)) {h",a")^ A {h" , {X{x)a{b)) a") {h' ,b') (A.45) 

From the first conjunct together with the assumption \= a : a and the first conjunct of 
()A.44p , by Definition 13.61 it follows that there exists a heap typing ^" such that 

ik,^)r{k-i,^") A h":k-i^" A {k-i,^",a") ea = [md:y,Fa]a^^j (A.46) 

In particular, a" G Val and the operational semantics gives 

{h, {X{x)a{b)) (a(a))) {h" , {X{x)a{b)) a") ^ {h",a[x := a"] (6)) ^^-'-^ {h' , b') (A.47) 

From the third conjunct of (|A.46P by Proposition lA.llI there exists a' G Type such that 
a' <\ a and {k — i — 1, L^"Jfe-i-i t^") ^ ^' • From a i^ ij, S, the first conjunct of (|A.46p . 
Propositions lA. l] and [Al2] and the closure under state extension, this yields 

a[x := a"] :fc-i-i,L*"J^_,_, ^[x := a] (A.48) 
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Since a' < a, by instantiating the universally quantified type ^ in the hypothesis on b we 
obtain that S[x := a'] \= b : p. Therefore, ()A.48P gives a[x := a"]{b) :/^._j„i , ^ p. 

Clearly h" -.k-i-i L^"Jfc-i-i by the second conjunct of (IA.46p . so that the second conjunct 
of (|A.45P shows that there is some ^' such that (A;, ^) □ {k-i-l, [^"J^,_j„i) ^ {k - j, ^'), 
h' '.k-j ^' and {k—j, ^' , b') € /?, by Definition [321 This establishes that (T(let x = a in 6) -.k,^ 
(3 holds as required. □ 

We next define a recursive type of records {| -.^^ Fa ^deD, which is the type arising 
from the recursive record interpretation of (imperative) objects |18j . While this type does 
not give rise to non-trivial subtyping, we will show that it satisfies {| m^ -.^^ Fd^deD 

Definition A. 13. Assume : Type Type are monotonic and non-expansive type con- 
structors, for all d & D. Then let /? = {| m^ i^,^ F^ ^deD be defined as the set of all triples 
{k, {md=ld}deD) such that 

(Vd G D. {k, ^, Id) G ref,,(/3 ^ (Rec-1) 

A {yj <k.y^'.y{me=Q^^j^. (Rec-2) 

(A;, VI/) □ (j, vl;') A (Vd G D. [^'\^ [Q = [^\^ {Id)) ^ {j, [^'\^ , {md=l'd] ^ Z^) 

Note that the recursive specification of /3 is well-founded, i.e., (3 is well-defined. Moreover, 
/3 is a type, i.e., it is closed under state extension. 

Proposition A. 14. For all self types [rrid -u^ -^rfldeD have that 

I rrid -.y^ Fd IdeD < [md --u^ Fd]deD 

Proof. Let a = [m^ -.^^ Fd\^^j^ and /3 = {| m^ |}de_D for some arbitrary monotonic 

and non-expansive type constructors Fd- It is clear that for all {k,"^ ,{m.d=ld}d&D) ^ 
conditions (Obj-2-Self) and (Obj-3) from Definition 15.21 are satisfied, by the definition of 
(3 (Definition I A. 13l) . It remains to prove that /? C a. We establish this by showing that for 
all A; > 0, Y(3\^ C [aj^, by complete induction on k. Let {k,^> ,{m.d=ld}d(^D) ^ l^'i need 
to show that (A:, ^ , {™-d=h} d&o) ^ have that D ^ D and we choose a' = (3 which 

is a type and fulfills [/?J^ C [aj^ (Obj-1) by the induction hypothesis. The conditions 
(Obj-2-Self) and (Obj-3) in Definition [5T] (Self types) are exactly the same as conditions 
(Rec-1) and (Rec-2) in the definition of (3 (Definition I A. 13( ) . which concludes the proof. □ 

Lemma A. 15 (SemObj-Str: Object construction with structural assumptions). Let a = 

[fnd -ua Fd]d£D '^"'^ suppose that for all d G D and all ^ G Type with ^ <l a, S[x := ^] |= 6^ : 
Fdi^). Then S \= [md=';ixd)bd]d(zD ■ «■ 

Proof. Let a = [md '.u^ -^dldeD assume that 

ydeD. y^eType. ^ < a ^ ^Xd := ^] h h ■ Fd{0 (A.49) 

We must show that S |= [md=<^{xd)bd]^^£) : a. Thus, let A; > 0, cr be a value environment 
and ^' be a heap typing such that a S. By Definition 13.81 we need to show that 
(T([mrf=<j(xrf)6rf]^g£,) '.k,^ a. Equivalently (after suitable a-renaming), we show that 

[md=c;{xd)cr{bd)]d(zD ■k,<f « 
Suppose j < k, h, h' and b' are such that the following three conditions are fulfilled: 

h-.k"^ A {h,[md=c.{xd)a{bd)]d^D) ^^') A {h\b')^ (A.50) 
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By the operational semantics Red-Obj is the only rule that applies, which means that 
necessarily j = 1 and for some distinct dom{h) we have b' = {m^=l(i}^^jj and 

h' = h [Id := A(xd)a(6d)]^g^ (A.51) 

Let /3 = H nirf -.i^^ Fa ^deD, as in Definition I A. 131 We choose 

^' = [/, := (/? - FdmUol k-i (A-52) 

and show that 

(A;,'f) C (A;- 1,^') A /i' ^' A {k - 1,^' ,b') G a (A.53) 

The first conjunct of ()A.53P holds by the construction of ^' ()A.52p . In order to show the 
second conjunct, let i < fc— 1 and / G dom{'^'). We now need to show that (i, [^'J j , h'{l)) € 
^'{l). In case / € dom{^) the proof proceeds exactly as for Lemma [A.41 so we only consider 
the case when / = l^, for some deD. From fOT]) and ([X52]) we get that 

h'il) = \{xd)a{hd) A ^'(0 = L/? ^ Fd{l3)\ 

Thus we need to show that 

{i,[^'\.,Xixd)am G lf3^Fd{f3)\,_, (A.54) 

By Proposition IA.14l we obtain that (3 <\ a, so we can instantiate the universally quantified 
^ in f09|) with P and obt ain that 

E[xrf := /?] h ^rf : FdiP) 
By SemLam in Figure [6l (Lemma I3.15P this gives us that 

From this and a ,j, S by Definition 13.81 we obtain 

Hxd)a{bd) -.k,^ P^FdiP) (A.55) 
Since k > 1 and from ()A.50P h -.k Proposition IA.3I shows that ()A.55P implies 

{k, ^, X{xd)a{bd)) eP^ FdiP) (A.56) 

By Proposition lA.2l we get that {k — 1, Q {i, [^''JJ, which together with the first conjunct 
of ()A.53P and the transitivity of [I yields {k, ^) C (i, ['fj J. Since each P — > Fd{P) is closed 
under state extension, the latter property and ()A.56P imply the required ()A.54p . 

Finally, we need to show the third conjunct of ()A.53p . i.e., {k — 1, , {inad=ld}deD) ^ 
To this end, we prove the following more general claim: 
Claim: For all Jq > 0, for all and for all {mrf=Z^}^g^ 

(fc-l,^')E(jo,^o) A (ydGD. [^oJ,„(/^)= L^Xo^^'^)) 

From this and [^'J^._i = the last conjunct of ()A.53P follows by taking jo = k — 1, 
^'o = and l'^ = Id for all deD, and by observing that C is reflexive (Proposition lA.l]) 
and P C a (since P <\ a). 

The claim above is proved by complete induction on jq. So assume jo > and ^'o are 
such that 

{k-l,^')r{jo,^o) (A.58) 
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Moreover, for all d € D let l'^ G dom^'ifo) such that 

We show that (jo, L^ojj,, ) {™d=^d}dgz)) ^ by checking that the two conditions from the 
definition of /3 (Definition I A. 13( ) are satisfied. By the construction of ^' in ()A.52p . together 
with (|Al58]) and (kl9\t . it follows that for all d e D 

L*oJ,„ (Q = [^'J,„ (Id) = W^ F,iP)\^^ (A.60) 

By the definition of reference types (Definition I3.16P this implies that 

W G D. (jo, L^oJjo , I'd) e refo(/? ^ Frf(/?)) (A.61) 

By the lemma for subtyping reference types (SemSubVarRef in Figure [7j) we then obtain 
property (Rec-1): 

W € D. (jo, L^o \j, , Q e ref,,(/3 ^ Frf(/3)) (A.62) 
Second, we must prove (Rec-2), i.e., that for all j < jo, ^'i and {mci=l'^}^^jj 

(jo,^o) E (j,^i) A (Vd G D. L^'iJ, (/^) = L^oJ,- m 

^ (j,L^iJ,,{m,=/^},^^)G/3 (A.63) 

Note that this last condition holds vacuously in the base case of the induction, when jo = 0. 
So assume j < jo and ^'i and I'J^ are such that (jo, ^o) E (j, ^i) and [^'ij^- (I'J^) = [^o\j {Q 
for all d G D. Now j < jo and assumption ()A.59P yield that for all (i G D 

Moreover, from (k-l,-^') □ (jo, "fo) (|A.58P and (jo, ^o) E (j, ^i), by the transitivity of C 
we have that (A; — 1, C (j, 'I'l). Since j < jo, the induction hypothesis of the claim gives 

(j, L*iJ,-,{m,= Z^},^^)G/3 

and we have established ()A.63p . 

By Definition I A. 131 applied to the type P = {| m^ -.^^ F^^deD the properties ()A.62p . 
and ()A.63P establish that indeed (jo, L^ojjp , {™rf=^d}d6Z)) ^ P- This finishes the inductive 
proof of claim ()A.57p . and the proof of the lemma. □ 



A. 5. Subtyping Lemma for Generalized Object Types. 

Lemma A. 16 (SemSubGen-Obj: Subtyping generalized object types). If E C D and for 

all e G E we have that C and C then [nid ■ (^d ''^S)]deD — [™e : {Pf i Pl)]e£E- 

Proof. Denote a = [uid : (aj^, a^) l^g/), P = [^e : {Pf i Pe)]e&E-> assume E C D and 

Ve G E. iPf Qa:^ A ale p^). (A.64) 

We prove that for all heap typings ^, for all values v and all /c > 0, if {k,'^,v) G a then 
(/c,^',u) G P, by complete induction on k. The induction hypothesis is that [aj^ C [/3J^. 

If we assume that {k,'^,v) G a, then by the definition of a (Definition 13.201 with 
condition (Obj-2-Gen) instead of (Obj-2)) we have that v = {m.c=lc} ^^(^ , D C and 
there exists a' G Type such that [a'J ^ C [aj ^ and 

Vd G D. {k, /d) G ref(a' ^ a^, a' ^ a^) (A.65) 
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Moreover, condition (Obj-3) holds with respect to a, i.e., for ah j < k, aU ^' and all 
{me=Q^^j^ such that (k,^) Q (i,^''), 

(Ve G E. [^'\^ {Q = [^\^ (/,)) ^ {j, [^'\^ , {me=Q^^j,) G a' (A.66) 

From E Q D and D C C by transitivity E C. From [a'J^ ^ [aj^ and the induction 
hypothesis [aj^^ C [/3J^ we get that [a'\^ C i.e., (Obj-1) holds. Moreover, ()A.66P 

entails that condition (Obj-3) also holds with respect to the object type /?. So in order to 
conclude that (A;, ^,v) G /?, all that remains to be proven is condition (Obj-2-Gen): 

Ve G E. {k, ^, /e) G ref(a' ^ a' PI) (A.67) 

Let e G E. Since the procedure type constructor is covariant in the result type (Sem- 
SubProc in Figured]) assumption IA.641 implies that 

q' ^ C q' ^ a^' A a' ^alQa' 

From this by (SemSubRef-Gen) we get that 

ref(a' -^a^,a' ^ al) C ref(a' pf,a' ^ PI) 

This together with IA.65I and E Q D directly implies IA.671 which concludes the proof. □ 
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